SlideShare ist ein Scribd-Unternehmen logo

HIPAA Privacy, Security, Breach Overview

•Als PPTX, PDF herunterladen•
•
HealthCare Too, LLC
HealthCare Too, LLC

Presentation on HIPAA Privacy, Security, Breach for Dublin Entrepreneurial Center (DEC) at Metro Data Center on Sept 12, 2013

Gesundheit & MedizinBusinessTechnologie
1 von 50
Don’t Get Hit by the HIPAA Omnibus: Are You Ready for Sept 23?
Disclaimers The material in this presentation and/or any remarks made by HealthCare Too, LLC personnel are NOT meant to provide legal advice or counsel. We intend this session to provide you with highlights of the new HIPAA Omnibus for your edification and for your own use at your own professional discretion. 8/6/13HealthCareToo,LLCProprietary 2
Scope 45 CFR Parts 160 and 164 Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act Or “The HIPAA Omnibus” was 138 pages when released on Jan 25, 2013. This presentation introduces several major changes at a high level but does not present all changes. 8/6/13HealthCareToo,LLCProprietary 3
Your Presenters • Tim Perry, MPA, CHTS-IS • Chief Information Officer, HealthCare Too, LLC • 25+ years of Health Information Technology and Compliance experience • Chief Technology Officer, Ecommerce, LLC (Cloud & Hosting) • Senior Vice President of Infrastructure Services, Reed Elsevier • Global IT Director, Johnson & Johnson • Consulting engagements at SmithKline Beecham, Merck • Education • Master of Technology Management, Univ of Pennsylvania • Master of Public Administration, The Ohio State University • Bachelor of Arts, The Ohio State University 8/6/13HealthCareToo,LLCProprietary 4
8/6/13 5
What’s in a Name? • Mega Rule • Omnibus • Final Rule 8/6/13HealthCareToo,LLCProprietary 6
Protected Health Information (PHI) 8/6/13HealthCareToo,LLCProprietary Individually identifiable Health Information List of 18 Identifiers • Names • All geographic subdivisions smaller than state • All elements of dates except year • Phone numbers • Fax numbers • Electronic mail addresses • Social Security numbers • Medical record numbers • Health plan beneficiary numbers • Account numbers • Certificate/license numbers • Vehicle identifiers and serial numbers • Device identifiers and serial numbers; • Web Universal Resource Locators (URLs); • Internet Protocol (IP) address numbers; • Biometric identifiers • Full face photographic images • Any other unique identifying number Health information means any information, including genetic information, whether oral or recorded in any form or medium, that: (1) Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and (2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual. 7
8/6/13HealthCareToo,LLCProprietary 8 “Some Incident” Breach [A]cquisition, access, use, or disclosure of protected health information in a manner not permitted Risk Assessment Document & Done No Breach OCR Agreement for Corrective Action, Settlement, or Formal Finding and Fine Breach Verified Complaint A person who believes a covered entity or business associate is not complying with the administrative simplification provisions may file a complaint with the Secretary OCR Intake / Review Document & Done No Violation Possible Violation OCR Investigation Document & Done No Violation Violation Found [F]ailure to comply with an administrative simplification provision.
8/6/13HealthCareToo,LLCProprietary 9
Leon Rodriguez “I am the first Director of the Office of Civil Rights to come to the Office with experience, extensive experience, both in law enforcement and a healthcare provider lawyer and its my commitment to ramp up the enforcement of the Office.” 8/6/13HealthCareToo,LLCProprietary Oral Testimony to Senate Judiciary Subcommittee on Privacy, Technology, and Law “Your Health and Your Privacy: Protecting Health Information in a Digital World.”, Nov 2, 2011. 10
8/6/13HealthCareToo,LLCProprietary 11 HIPAA Resolutions by Type and Year (based on OCR data)
Reported 500+ Breaches in OH 8/6/13HealthCareToo,LLCProprietary 12 Patients Affected Date of Breach Type of Breach Location of Breach 60998 3/27/10 Theft Laptop 1001 4/22/10 Unauthorized Access/Disclosure Email 1200 6/13/10 Improper Disposal Paper 1309 6/11/10 Loss Laptop 13867 6/7/10 Theft Laptop 2123 7/29/10 Improper Disposal Paper 1000 11/15/10 Improper Disposal Paper 501 11/5/10 Theft Laptop, Computer 78,042 6/3/11 Theft Laptop 500 10/1/10 Improper Disposal Other (X-ray film) 15,000 10/01/2010 - 03/21/2012 Unauthorized Access/Disclosure Other 15000 10/1/2010 - 03/21/2012 Unauthorized Access/Disclosure Other 850 12/2/12 Theft Laptop, Network Server 2500 3/19/13 Theft Other 500 04/14/2013 - 04/19/2013 Loss Laptop 2203 5/29/13 Other Paper 78542 TOTAL
Notable Settlements Entity Amount Year WellPoint, Inc. (unattended weaknesses in online database) $1.7 million July 2013 Walgreens (pharmacist looked up a woman’s history) $1.44 million July 2013 MN AG & Accretive Health (started from July 2011 lost laptop) $2.5 million July 2013 Shasta Regional Med Center (disclosure of patient info to Media) $275,000 June 2013 Idaho State University (left a firewall down for 10 mos after maint) $400,000 May 2013 Goldthwait Associates & 4 Pathology Groups MA Attorney General (disposed of patient data at dump) $140,000 January 2013 8/6/13HealthCareToo,LLCProprietary 13
Compliance Deadline Omnibus HIPAA Final Rule • Published in Federal Register – January 25, 2013 • Effective Date – March 26, 2013 • Compliance Date – September 23, 2013 • Transition Period to Conform BA Contracts – Up to September 22, 2014, for Qualifying Contracts 8/6/13HealthCareToo,LLCProprietary 14
Covered Entities, Business Associates, and Subcontractors, Oh My! 8/6/13HealthCareToo,LLCProprietary 15
“Covered Entity” • (1) A health plan. • (2) A health care clearinghouse. • (3) A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter. • Note: if an electronic transaction is made on a provider’s behalf… it is considered the provider’s 8/6/13HealthCareToo,LLCProprietary 16
“Business Associate” What it says What it means “functions, activities or services on behalf of covered entities” “Create, receive, maintain, or transmit PHI” An employee of a CE is NOT a BA. Clarifies definition of BA to include: • Patient Safety Organizations, • Health Information Exchanges, • Personal Health Records Must have BAA in place Clarification that BAs are liable whether or not they have an agreement in place with the CE . (Marissa Gordon-Nguyen, JD, MPH Office for Civil Rights) 8/6/13HealthCareToo,LLCProprietary 17
“Subcontractors” What it says What it means "a person to whom a business associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of such business associate." (45 CFR 160.103) "under the final rule, covered entities must ensure that they obtain satisfactory assurances required by the Rules from their BAs, and BAs must do the same with regard to subcontractors, and so on, no matter how far 'down the chain' the information flows." Subcontractors are BAs: • Subject to HIPAA provisions • Directly liable for HIPAA violations • BA must have BAA with every subcontractor • Subcontractor must have BAA with its subcontractors, who are also BAs 8/6/13HealthCareToo,LLCProprietary 18
Agency • Covered Entities can be held liable for the violations caused by their Business Associates. • Business Associates can be held liable for the violations caused by their sub-contractors. • Federal common law of Agency will govern whether an agency relationship exists between the parties - regardless of what the contract actually says. (WEDI presentation by Joseph R. McClure, Esq. Legal Counsel, Siemens Medical Solutions USA WEDI Privacy & Security Co-Chair) 8/6/13HealthCareToo,LLCProprietary 19
Your PHI Ecosystem is Explicit 8/6/13HealthCareToo,LLCProprietary 20
8/6/13HealthCareToo,LLCProprietary 21 1 – 2 million ? ??? Never directly liable for HIPAA… until now.
8/6/13HealthCareToo,LLCProprietary WEDI Privacy & Security Workgroup, Business Associate Sub-Workgroup 22
8/6/13HealthCareToo,LLCProprietary WEDI Privacy & Security Workgroup, Business Associate Sub-Workgroup 23
Typical BA Functions (Again) • Claims processing or administration • Data analysis, processing or administration • Utilization review • Quality assurance billing • Benefit management • Practice management • Repricing 8/6/13HealthCareToo,LLCProprietary • Data Storage / Hosting • Legal • Actuarial • Accounting • Consulting • Data aggregation • Management • Administrative • Accreditation • Financial 24
Business Associates Must: 1. Comply with the HIPAA Security Rule 2. Report to Covered Entity any breach of unsecured PHI 3. Enter into BAAs with subcontractors imposing the same obligations that apply to the Business Associate 4. Comply with the HIPAA Privacy Rule to the extent Business Associate is carrying out a Covered Entity’s Privacy Rule obligations 8/6/13HealthCareToo,LLCProprietary (WEDI presentation by Joseph R. McClure, Esq. Legal Counsel, Siemens Medical Solutions USA WEDI Privacy & Security Co-Chair) 25
Breach Unauthorized acquisition, access, use or disclosure that compromises the security or privacy of the protected health information such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual. 8/6/13HealthCareToo,LLCProprietary 26
Four-Factor PHI Breach Assessment 1. Nature and extent of PHI involved 2. Unauthorized person who used PHI or to whom disclosure was made 3. Whether PHI was actually acquired or viewed 4. Extent to which risk to PHI has been mitigated 8/6/13HealthCareToo,LLCProprietary “Guilty until proven innocent” Breach is now presumed 27
Breach Notification Less Than 500 Patient Records 500+ Patient Records Individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach Notify HHS on an annual basis. Individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach Notify the Secretary without unreasonable delay and in no case later than 60 days following a breach. Provide notice to prominent media outlets serving the State or jurisdiction 8/6/13HealthCareToo,LLCProprietary HHS provides “safe harbor” for PHI that is encrypted or properly disposed of in keeping with early guidance. Note: When you notify of a breach, you are self-reporting a HIPAA violation and should make your counsel aware as well as conduct a new risk analysis with corrective actions. 28
8/6/13HealthCareToo,LLCProprietary Breach Discovered Risk Assessment 1. Nature and extent of PHI involved 2. Unauthorized person who used PHI or to whom disclosure was made 3. Whether PHI was actually acquired or viewed 4. Extent to which risk to PHI has been mitigated Document & Done No Breach Less Than 500? Notify Individuals Notify HHS Annually Notify Individuals Notify HHS w/i 60 days Notify Media Breach Yes No 29
Where? • Privacy Rule applies to any form of PHI • It’s about disclosures • Security Rule applies to electronic forms of PHI • Desktop • Laptop • Tablet Computer • Smart Phone • Cloud • USB “thumb drive” • CD / DVD • Floppy disk (if those even still exist) • …. 8/6/13HealthCareToo,LLCProprietary 30
Greater Use of Health Information Technology 8/6/13HealthCareToo,LLCProprietary 31
8/6/13HealthCareToo,LLCProprietary http://www.himss-oregon.org/events/pdf/ChrisGough-BigDataKeynote.pdf
8/6/13HealthCareToo,LLCProprietary The Size of the Issue…. 2 Kilobytes: A Typewritten page 1 Megabyte: A small novel 1 Gigabyte: A pickup truck filled with paper 1 Terabyte is 50,000 trees made into paper and printed 1 Petabyte of music would take ~2,000 years to play 1 Exabyte: 100,000X the printed material in the Lib of Congress 1 Zettabyte: ~62 Billion iPhones (stacked would pass the moon) http://highscalability.com/blog/2012/9/11/how-big-is-a-petabyte-exabyte-zettabyte-or-a-yottabyte.html To store a Yottabyte on terabyte sized hard drives would require a million city block size data-centers… as big as the states of Delaware and Rhode Island http://en.wikipedia.org/
Privacy Rule Privacy Rule Covered Entity • Marketing & Fundraising • Sale of protected health information (PHI) • Right to request restrictions • Electronic access for patient • Delegates • Genetic info for underwriting prohibited • Immunization records with parent approval • Decedent PHI protected for 50 years Business Associate BAA at least as strict as CE Subcontractor BAA at least as strict as BA 8/6/13HealthCareToo,LLCProprietary 34
8/6/13HealthCareToo,LLCProprietary 35
Security Rule: Phys Safeguards Required Addressable Workstation Use (R) Workstation Security (R) Disposal (R) Media Re-use (R) Contingency Operations (A) Facility Security Plan (A) Access Control and Validation Procedures (A) Maintenance Records (A) Accountability (A) Data Backup and Storage (A) 8/6/13HealthCareToo,LLCProprietary 36 Applies to: Covered Entity, Business Associates, and Subcontractors
Security Rule: Admin Safeguards Required Addressable Risk Analysis (R) Risk Management (R) Sanction Policy (R) Information System Activity Review (R) Assigned Security Responsibility (R) Isolating Health Care Clearinghouse Function (R) Response and Reporting (R) Data Backup Plan (R) Disaster Recovery Plan (R) Emergency Mode Operation Plan (R) Evaluation (R) Written Contract or Other Arrangement (R) Authorization and/or Supervision (A) Workforce Clearance Procedure (A) Termination Procedures (A) Access Authorization (A) Access Establishment and Modification (A) Security Reminders (A) Protection from Malicious Software (A) Log-in Monitoring (A) Password Management (A) Testing and Revision Procedure (A) Applications and Data Criticality Analysis (A) 8/6/13HealthCareToo,LLCProprietary 37 Applies to: Covered Entity, Business Associates, and Subcontractors
Security Rule: Tech Safeguards Required Addressable Unique User Identification (R) Emergency Access Procedure (R) Audit Controls (R) Person or Entity Authentication (R) Automatic Logoff (A) Encryption and Decryption (A) Mechanism to Authenticate Electronic PHI (A) Integrity Controls (A) Encryption (A) 8/6/13HealthCareToo,LLCProprietary 38 Applies to: Covered Entity, Business Associates, and Subcontractors
Security Rule: Org Reqmnts Required Addressable Business Associate Contracts (R) Group Health Plans (R) Documentation Time Limit (R) Availability (R) Updates (R) 8/6/13HealthCareToo,LLCProprietary 39 Applies to: Covered Entity, Business Associates, and Subcontractors
2007 Original Omnibus 8/6/13HealthCareToo,LLCProprietary 40
8/6/13HealthCareToo,LLCProprietary 41 For example, a data storage company that has access to protected health information (whether digital or hard copy) qualifies as a business associate, even if the entity does not view the information or only does so on a random or infrequent basis. -HIPAA Omnibus If I Store Data Online Does HIPAA Apply to the Hoster?
What’s Your Hosting Service? 8/6/13HealthCareToo,LLCProprietary 42 Shared Dedicated Medical-grade Cloud Price ~$7.95/month ~$50+ / month ~$300+ / month BA Agreement Violation? Violation? Risk Analysis Violation? Violation? 24 X 7 Monitoring Violation? Violation? Encryption Violation? Violation? Audit Logs Violation? Violation? Monthly Report Violation? Violation? DR Plan Violation? Violation? Data Backup Violation? Violation? Disposal Policy Violation? Violation? Unique User ID Violation? Violation? AND MUCH, MUCH, MUCH MORE
Fine Structure 8/6/13HealthCareToo,LLCProprietary Violation Category Per Violation Per Calendar Year Did Not Know $100 - $50,000 $1,500,000 Reasonable Cause $1,000 - $50,000 $1,500,000 Willful Neglect – Corrected $10,000 - $50,000 $1,500,000 Willful Neglect – Not Corrected $50,000 $1,500,000 43
Last year we had a $1.5M settlement with BCBS TN that had 57 hard drives stolen from a storage facility. The citation that drove the penalty was NOT the breach. Rather, the penalty was applied because of the failure to implement appropriate administrative safeguards, not performing a risk assessment, and failure to implement access controls for physical safeguards. They could have turned that storage facility into Fort Knox, and it might have still been breached. But the problem was they didn’t implement any preventive policies or procedures or appropriate administrative or physical safeguards. This is a great example of the lack of ongoing attention to compliance. 8/6/13HealthCareToo,LLCProprietary HIPAA in a HITECH World: HIPAA Violations on the Rise, According to Director of OCR Posted on March 22, 2013 by April Sage Leon Rodriguez, Director Office for Civil Rights 44
Another Real Life Example Breach of less than 500 patients' PHI • Hospice of North Idaho fined $50,000 • Unencrypted laptop was stolen from an employee's car. • OCR found that HONI (1) did not conduct a risk analysis to safeguard ePHI and (2) did not have policies/procedures in place to address mobile device security. 8/6/13HealthCareToo,LLCProprietary 45
Patient Rights over PHI What it says What it means In this final rule, we strengthen an individual’s right to receive an electronic copy of his or her protected health information. The final rule requires that a covered health care provider agree in most cases to an individual’s request to restrict disclosure to a health plan of the individual’s protected health information that pertains to a health care service for which the individual has paid the health care provider in full out of pocket. If you use an EHR, you must provide an e-copy of PHI to patients upon request, within timeframe and costs of Final Rule. Patients may pay for treatment and ask provider to withhold PHI from insurer. 8/6/13HealthCareToo,LLCProprietary 46
Street Value of Medical Records A thief downloading and stealing data can get $50 on the street for a medical identification number compared to just $1 for a Social Security number. For those receiving the medical ID number and using it to defraud a health care organization, the average payout is more than $20,000,” according to Pam Dixon, executive director of the World Privacy Forum. "Compare that to just $2,000 for the average payout for regular ID theft. 8/6/13HealthCareToo,LLCProprietary “Protected Health Information (PHI): High Value to Hackers: Medical Facilities at Risk”, http://www.prweb.com/releases/2013/2/prweb10412883.htm 47
8/6/13HealthCareToo,LLCProprietary Value of Protected Health Information Big Data / Internet of Things Aging US Pop Gene Data EHRs / HIEs Social Nets / PHRs Cyber Crimes Data GovernanceNon-compliance
Resources • Jan 17, 2013 New Release on Omnibus http://www.hhs.gov/news/press/2013pres/01/20130117 b.html • Poyner Spruill Summary of HIPAA Omnibus http://www.poynerspruill.com/publications/Pages/sum maryofNewHIPAARules.aspx • Health Information Privacy http://www.hhs.gov/ocr/privacy/hipaa/understanding/in dex.html • Enforcement Examples http://www.hhs.gov/ocr/privacy/hipaa/enforcement/exa mples/index.html • HHS “Wall of Shame” http://www.hhs.gov/ocr/privacy/hipaa/administrative/br eachnotificationrule/breachtool.html 8/6/13HealthCareToo,LLCProprietary 49
Questions 8/6/13HealthCareToo,LLCProprietary 50 888-596-HEAL (4325) info@healthcaretoo.com

Empfohlen

Privacy and Data Protection CLE Presentation for Touro Law Center
Privacy and Data Protection CLE Presentation for Touro Law CenterPrivacy and Data Protection CLE Presentation for Touro Law Center
Privacy and Data Protection CLE Presentation for Touro Law CenterJonathan Ezor
 
CSI 2008, Legal Developments In Security and Privacy Law
CSI 2008, Legal Developments In Security and Privacy Law CSI 2008, Legal Developments In Security and Privacy Law
CSI 2008, Legal Developments In Security and Privacy Law padler01
 
HIPAA Overview
HIPAA OverviewHIPAA Overview
HIPAA OverviewTim Perry, MPA, MS, CPHIMS, PCMH CCE, CISSP
 
Privacy and Data Security: Risk Management and Avoidance
Privacy and Data Security: Risk Management and AvoidancePrivacy and Data Security: Risk Management and Avoidance
Privacy and Data Security: Risk Management and AvoidanceAmy Purcell
 
Key Insights from the 2019 Legal Trends Report
Key Insights from the 2019 Legal Trends ReportKey Insights from the 2019 Legal Trends Report
Key Insights from the 2019 Legal Trends ReportClio - Cloud-Based Legal Technology
 
How can you improve cybersecurity at your law firm?
How can you improve cybersecurity at your law firm?How can you improve cybersecurity at your law firm?
How can you improve cybersecurity at your law firm?Clio - Cloud-Based Legal Technology
 
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Financial Poise
 
Privacy Compliance for Law Firms: Moving Beyond Confidentiality
Privacy Compliance for Law Firms: Moving Beyond ConfidentialityPrivacy Compliance for Law Firms: Moving Beyond Confidentiality
Privacy Compliance for Law Firms: Moving Beyond ConfidentialityClio - Cloud-Based Legal Technology
 

Empfohlen

Privacy and Data Protection CLE Presentation for Touro Law Center
Privacy and Data Protection CLE Presentation for Touro Law CenterPrivacy and Data Protection CLE Presentation for Touro Law Center
Privacy and Data Protection CLE Presentation for Touro Law CenterJonathan Ezor
 
CSI 2008, Legal Developments In Security and Privacy Law
CSI 2008, Legal Developments In Security and Privacy Law CSI 2008, Legal Developments In Security and Privacy Law
CSI 2008, Legal Developments In Security and Privacy Law padler01
 
HIPAA Overview
HIPAA OverviewHIPAA Overview
HIPAA OverviewTim Perry, MPA, MS, CPHIMS, PCMH CCE, CISSP
 
Privacy and Data Security: Risk Management and Avoidance
Privacy and Data Security: Risk Management and AvoidancePrivacy and Data Security: Risk Management and Avoidance
Privacy and Data Security: Risk Management and AvoidanceAmy Purcell
 
Key Insights from the 2019 Legal Trends Report
Key Insights from the 2019 Legal Trends ReportKey Insights from the 2019 Legal Trends Report
Key Insights from the 2019 Legal Trends ReportClio - Cloud-Based Legal Technology
 
How can you improve cybersecurity at your law firm?
How can you improve cybersecurity at your law firm?How can you improve cybersecurity at your law firm?
How can you improve cybersecurity at your law firm?Clio - Cloud-Based Legal Technology
 
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Financial Poise
 
Privacy Compliance for Law Firms: Moving Beyond Confidentiality
Privacy Compliance for Law Firms: Moving Beyond ConfidentialityPrivacy Compliance for Law Firms: Moving Beyond Confidentiality
Privacy Compliance for Law Firms: Moving Beyond ConfidentialityClio - Cloud-Based Legal Technology
 
HITECH-Changes-to-HIPAA
HITECH-Changes-to-HIPAAHITECH-Changes-to-HIPAA
HITECH-Changes-to-HIPAAGurvinder Singh, CISSP, CISA, ITIL v3
 
What You Need To Know About Privacy Now!
What You Need To Know About Privacy Now!What You Need To Know About Privacy Now!
What You Need To Know About Privacy Now!catherinecoulter
 
Uchi data local presentation 2020
Uchi data local presentation 2020Uchi data local presentation 2020
Uchi data local presentation 2020Christo W. Meyer
 
CSR PII White Paper
CSR PII White PaperCSR PII White Paper
CSR PII White PaperDmcenter
 
CSMFO 2012 Data Privacy in Local Government
CSMFO 2012 Data Privacy in Local GovernmentCSMFO 2012 Data Privacy in Local Government
CSMFO 2012 Data Privacy in Local GovernmentDonald E. Hester
 
SECURITY BREACH NOTIFICATION CHART 2013
SECURITY BREACH NOTIFICATION CHART 2013SECURITY BREACH NOTIFICATION CHART 2013
SECURITY BREACH NOTIFICATION CHART 2013- Mark - Fullbright
 
State Data Breach Laws - A National Patchwork Quilt
State Data Breach Laws - A National Patchwork QuiltState Data Breach Laws - A National Patchwork Quilt
State Data Breach Laws - A National Patchwork QuiltRochester Security Summit
 
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_finalData Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_finalDr. Donald Macfarlane
 
Data Breach Response: Realtime Cyber Incident Simulation
Data Breach Response: Realtime Cyber Incident SimulationData Breach Response: Realtime Cyber Incident Simulation
Data Breach Response: Realtime Cyber Incident SimulationBradley Arant Boult Cummings LLP
 
TBG Security Mgl93 H 201 CMR17.00 Compliance Service
TBG Security Mgl93 H 201 CMR17.00 Compliance ServiceTBG Security Mgl93 H 201 CMR17.00 Compliance Service
TBG Security Mgl93 H 201 CMR17.00 Compliance Servicegorsline
 
Key Issues on the new General Data Protection Regulation
Key Issues on the new General Data Protection RegulationKey Issues on the new General Data Protection Regulation
Key Issues on the new General Data Protection RegulationOlivier Vandeputte
 
Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...
Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...
Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...Diana Maier
 
Hot Topics in Data Breach Litigation
Hot Topics in Data Breach LitigationHot Topics in Data Breach Litigation
Hot Topics in Data Breach LitigationBradley Arant Boult Cummings LLP
 
Privacy in the Workplace: Electronic Surveillance under State and Federal Law
Privacy in the Workplace: Electronic Surveillance under State and Federal LawPrivacy in the Workplace: Electronic Surveillance under State and Federal Law
Privacy in the Workplace: Electronic Surveillance under State and Federal LawCharles Mudd
 
What You Need To Know About Privacy - Now!
What You Need To Know About Privacy - Now!What You Need To Know About Privacy - Now!
What You Need To Know About Privacy - Now!Now Dentons
 
What You Need to Know About Privacy
What You Need to Know About PrivacyWhat You Need to Know About Privacy
What You Need to Know About PrivacyNow Dentons
 
Personal data protection bill
Personal data protection bill Personal data protection bill
Personal data protection bill Mathew Chacko
 
Cloud Security Law Issues--an Overview
Cloud Security Law Issues--an OverviewCloud Security Law Issues--an Overview
Cloud Security Law Issues--an OverviewMichael C. Keeling, Esq.
 
Privacy and Information Security: What Every New Business Needs to Know
Privacy and Information Security: What Every New Business Needs to KnowPrivacy and Information Security: What Every New Business Needs to Know
Privacy and Information Security: What Every New Business Needs to KnowThe Capital Network
 
HIPAA Final Omnibus Rule Playbook
HIPAA Final Omnibus Rule PlaybookHIPAA Final Omnibus Rule Playbook
HIPAA Final Omnibus Rule PlaybookElizabeth Dimit
 
Hipaa Goes Hitech
Hipaa Goes HitechHipaa Goes Hitech
Hipaa Goes HitechCandy Matheny
 
Updated modifications to the HIPAA Privacy Rule
Updated modifications to the HIPAA Privacy RuleUpdated modifications to the HIPAA Privacy Rule
Updated modifications to the HIPAA Privacy RuleJames Pekarek
 

Weitere ähnliche Inhalte

Was ist angesagt?

What You Need To Know About Privacy Now!
What You Need To Know About Privacy Now!What You Need To Know About Privacy Now!
What You Need To Know About Privacy Now!catherinecoulter
 
Uchi data local presentation 2020
Uchi data local presentation 2020Uchi data local presentation 2020
Uchi data local presentation 2020Christo W. Meyer
 
CSR PII White Paper
CSR PII White PaperCSR PII White Paper
CSR PII White PaperDmcenter
 
CSMFO 2012 Data Privacy in Local Government
CSMFO 2012 Data Privacy in Local GovernmentCSMFO 2012 Data Privacy in Local Government
CSMFO 2012 Data Privacy in Local GovernmentDonald E. Hester
 
SECURITY BREACH NOTIFICATION CHART 2013
SECURITY BREACH NOTIFICATION CHART 2013SECURITY BREACH NOTIFICATION CHART 2013
SECURITY BREACH NOTIFICATION CHART 2013- Mark - Fullbright
 
State Data Breach Laws - A National Patchwork Quilt
State Data Breach Laws - A National Patchwork QuiltState Data Breach Laws - A National Patchwork Quilt
State Data Breach Laws - A National Patchwork QuiltRochester Security Summit
 
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_finalData Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_finalDr. Donald Macfarlane
 
Data Breach Response: Realtime Cyber Incident Simulation
Data Breach Response: Realtime Cyber Incident SimulationData Breach Response: Realtime Cyber Incident Simulation
Data Breach Response: Realtime Cyber Incident SimulationBradley Arant Boult Cummings LLP
 
TBG Security Mgl93 H 201 CMR17.00 Compliance Service
TBG Security Mgl93 H 201 CMR17.00 Compliance ServiceTBG Security Mgl93 H 201 CMR17.00 Compliance Service
TBG Security Mgl93 H 201 CMR17.00 Compliance Servicegorsline
 
Key Issues on the new General Data Protection Regulation
Key Issues on the new General Data Protection RegulationKey Issues on the new General Data Protection Regulation
Key Issues on the new General Data Protection RegulationOlivier Vandeputte
 
Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...
Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...
Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...Diana Maier
 
Privacy in the Workplace: Electronic Surveillance under State and Federal Law
Privacy in the Workplace: Electronic Surveillance under State and Federal LawPrivacy in the Workplace: Electronic Surveillance under State and Federal Law
Privacy in the Workplace: Electronic Surveillance under State and Federal LawCharles Mudd
 
What You Need To Know About Privacy - Now!
What You Need To Know About Privacy - Now!What You Need To Know About Privacy - Now!
What You Need To Know About Privacy - Now!Now Dentons
 
What You Need to Know About Privacy
What You Need to Know About PrivacyWhat You Need to Know About Privacy
What You Need to Know About PrivacyNow Dentons
 
Personal data protection bill
Personal data protection bill Personal data protection bill
Personal data protection bill Mathew Chacko
 
Cloud Security Law Issues--an Overview
Cloud Security Law Issues--an OverviewCloud Security Law Issues--an Overview
Cloud Security Law Issues--an OverviewMichael C. Keeling, Esq.
 
Privacy and Information Security: What Every New Business Needs to Know
Privacy and Information Security: What Every New Business Needs to KnowPrivacy and Information Security: What Every New Business Needs to Know
Privacy and Information Security: What Every New Business Needs to KnowThe Capital Network
 

Was ist angesagt? (19)

HITECH-Changes-to-HIPAA
HITECH-Changes-to-HIPAAHITECH-Changes-to-HIPAA
HITECH-Changes-to-HIPAA
 
What You Need To Know About Privacy Now!
What You Need To Know About Privacy Now!What You Need To Know About Privacy Now!
What You Need To Know About Privacy Now!
 
Uchi data local presentation 2020
Uchi data local presentation 2020Uchi data local presentation 2020
Uchi data local presentation 2020
 
CSR PII White Paper
CSR PII White PaperCSR PII White Paper
CSR PII White Paper
 
CSMFO 2012 Data Privacy in Local Government
CSMFO 2012 Data Privacy in Local GovernmentCSMFO 2012 Data Privacy in Local Government
CSMFO 2012 Data Privacy in Local Government
 
SECURITY BREACH NOTIFICATION CHART 2013
SECURITY BREACH NOTIFICATION CHART 2013SECURITY BREACH NOTIFICATION CHART 2013
SECURITY BREACH NOTIFICATION CHART 2013
 
State Data Breach Laws - A National Patchwork Quilt
State Data Breach Laws - A National Patchwork QuiltState Data Breach Laws - A National Patchwork Quilt
State Data Breach Laws - A National Patchwork Quilt
 
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_finalData Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
 
Data Breach Response: Realtime Cyber Incident Simulation
Data Breach Response: Realtime Cyber Incident SimulationData Breach Response: Realtime Cyber Incident Simulation
Data Breach Response: Realtime Cyber Incident Simulation
 
TBG Security Mgl93 H 201 CMR17.00 Compliance Service
TBG Security Mgl93 H 201 CMR17.00 Compliance ServiceTBG Security Mgl93 H 201 CMR17.00 Compliance Service
TBG Security Mgl93 H 201 CMR17.00 Compliance Service
 
Key Issues on the new General Data Protection Regulation
Key Issues on the new General Data Protection RegulationKey Issues on the new General Data Protection Regulation
Key Issues on the new General Data Protection Regulation
 
Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...
Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...
Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...
 
Hot Topics in Data Breach Litigation
Hot Topics in Data Breach LitigationHot Topics in Data Breach Litigation
Hot Topics in Data Breach Litigation
 
Privacy in the Workplace: Electronic Surveillance under State and Federal Law
Privacy in the Workplace: Electronic Surveillance under State and Federal LawPrivacy in the Workplace: Electronic Surveillance under State and Federal Law
Privacy in the Workplace: Electronic Surveillance under State and Federal Law
 
What You Need To Know About Privacy - Now!
What You Need To Know About Privacy - Now!What You Need To Know About Privacy - Now!
What You Need To Know About Privacy - Now!
 
What You Need to Know About Privacy
What You Need to Know About PrivacyWhat You Need to Know About Privacy
What You Need to Know About Privacy
 
Personal data protection bill
Personal data protection bill Personal data protection bill
Personal data protection bill
 
Cloud Security Law Issues--an Overview
Cloud Security Law Issues--an OverviewCloud Security Law Issues--an Overview
Cloud Security Law Issues--an Overview
 
Privacy and Information Security: What Every New Business Needs to Know
Privacy and Information Security: What Every New Business Needs to KnowPrivacy and Information Security: What Every New Business Needs to Know
Privacy and Information Security: What Every New Business Needs to Know
 

Ă„hnlich wie HIPAA Privacy, Security, Breach Overview

HIPAA Final Omnibus Rule Playbook
HIPAA Final Omnibus Rule PlaybookHIPAA Final Omnibus Rule Playbook
HIPAA Final Omnibus Rule PlaybookElizabeth Dimit
 
Hipaa Goes Hitech
Hipaa Goes HitechHipaa Goes Hitech
Hipaa Goes HitechCandy Matheny
 
Updated modifications to the HIPAA Privacy Rule
Updated modifications to the HIPAA Privacy RuleUpdated modifications to the HIPAA Privacy Rule
Updated modifications to the HIPAA Privacy RuleJames Pekarek
 
how to really implement hipaa presentation
how to really implement hipaa presentationhow to really implement hipaa presentation
how to really implement hipaa presentationProvider Resources Group
 
Exceptions to Information Blocking Defined in Proposed Rule: Here’s What You ...
Exceptions to Information Blocking Defined in Proposed Rule: Here’s What You ...Exceptions to Information Blocking Defined in Proposed Rule: Here’s What You ...
Exceptions to Information Blocking Defined in Proposed Rule: Here’s What You ...Health Catalyst
 
HIPAA and How it Applies to You
HIPAA and How it Applies to YouHIPAA and How it Applies to You
HIPAA and How it Applies to YouWinston & Strawn LLP
 
Privacy-Security-Training-Session-Template-4.6.21.pptx
Privacy-Security-Training-Session-Template-4.6.21.pptxPrivacy-Security-Training-Session-Template-4.6.21.pptx
Privacy-Security-Training-Session-Template-4.6.21.pptxMohammadBashir26
 
HIPAA Compliance and Security in a Mobile World
HIPAA Compliance and Security in a Mobile WorldHIPAA Compliance and Security in a Mobile World
HIPAA Compliance and Security in a Mobile WorldRyan Snell
 
Hitech changes-to-hipaa
Hitech changes-to-hipaaHitech changes-to-hipaa
Hitech changes-to-hipaageeksikh
 
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Financial Poise
 
Doctor Shopping and Real-time, Cross-state Prevention with Castlestone
Doctor Shopping and Real-time, Cross-state Prevention with CastlestoneDoctor Shopping and Real-time, Cross-state Prevention with Castlestone
Doctor Shopping and Real-time, Cross-state Prevention with CastlestoneDoug Brockway
 
HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013
HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013
HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013RightScale
 
Introduction to US Privacy and Data Security: Regulations and Requirements
Introduction to US Privacy and Data Security: Regulations and RequirementsIntroduction to US Privacy and Data Security: Regulations and Requirements
Introduction to US Privacy and Data Security: Regulations and RequirementsFinancial Poise
 
Data Security and Regulatory Compliance
Data Security and Regulatory ComplianceData Security and Regulatory Compliance
Data Security and Regulatory ComplianceLifeline Data Centers
 
Hipaa for business associates simple
Hipaa for business associates simpleHipaa for business associates simple
Hipaa for business associates simpleJose Ivan Delgado, Ph.D.
 
Chapter 14 Managing Projects 569 A Shaky Start for Healthcare.Gov CAS.pdf
Chapter 14 Managing Projects 569 A Shaky Start for Healthcare.Gov CAS.pdfChapter 14 Managing Projects 569 A Shaky Start for Healthcare.Gov CAS.pdf
Chapter 14 Managing Projects 569 A Shaky Start for Healthcare.Gov CAS.pdfprajeetjain
 
I D Theft Employee Presentation2
I D Theft Employee Presentation2I D Theft Employee Presentation2
I D Theft Employee Presentation2Heather Smith
 
The Most Wonderful Time of the Year for Health-IT...NOT
The Most Wonderful Time of the Year for Health-IT...NOTThe Most Wonderful Time of the Year for Health-IT...NOT
The Most Wonderful Time of the Year for Health-IT...NOTCompliancy Group
 
Business Associate Assessment, Agreement and Requirements
Business Associate Assessment, Agreement and RequirementsBusiness Associate Assessment, Agreement and Requirements
Business Associate Assessment, Agreement and Requirementsdata brackets
 

Ă„hnlich wie HIPAA Privacy, Security, Breach Overview (20)

HIPAA Final Omnibus Rule Playbook
HIPAA Final Omnibus Rule PlaybookHIPAA Final Omnibus Rule Playbook
HIPAA Final Omnibus Rule Playbook
 
Hipaa Goes Hitech
Hipaa Goes HitechHipaa Goes Hitech
Hipaa Goes Hitech
 
Updated modifications to the HIPAA Privacy Rule
Updated modifications to the HIPAA Privacy RuleUpdated modifications to the HIPAA Privacy Rule
Updated modifications to the HIPAA Privacy Rule
 
how to really implement hipaa presentation
how to really implement hipaa presentationhow to really implement hipaa presentation
how to really implement hipaa presentation
 
Exceptions to Information Blocking Defined in Proposed Rule: Here’s What You ...
Exceptions to Information Blocking Defined in Proposed Rule: Here’s What You ...Exceptions to Information Blocking Defined in Proposed Rule: Here’s What You ...
Exceptions to Information Blocking Defined in Proposed Rule: Here’s What You ...
 
HIPAA and How it Applies to You
HIPAA and How it Applies to YouHIPAA and How it Applies to You
HIPAA and How it Applies to You
 
Privacy-Security-Training-Session-Template-4.6.21.pptx
Privacy-Security-Training-Session-Template-4.6.21.pptxPrivacy-Security-Training-Session-Template-4.6.21.pptx
Privacy-Security-Training-Session-Template-4.6.21.pptx
 
HIPAA Compliance and Security in a Mobile World
HIPAA Compliance and Security in a Mobile WorldHIPAA Compliance and Security in a Mobile World
HIPAA Compliance and Security in a Mobile World
 
Hitech changes-to-hipaa
Hitech changes-to-hipaaHitech changes-to-hipaa
Hitech changes-to-hipaa
 
HIPAA Complaince
HIPAA ComplainceHIPAA Complaince
HIPAA Complaince
 
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
 
Doctor Shopping and Real-time, Cross-state Prevention with Castlestone
Doctor Shopping and Real-time, Cross-state Prevention with CastlestoneDoctor Shopping and Real-time, Cross-state Prevention with Castlestone
Doctor Shopping and Real-time, Cross-state Prevention with Castlestone
 
HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013
HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013
HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013
 
Introduction to US Privacy and Data Security: Regulations and Requirements
Introduction to US Privacy and Data Security: Regulations and RequirementsIntroduction to US Privacy and Data Security: Regulations and Requirements
Introduction to US Privacy and Data Security: Regulations and Requirements
 
Data Security and Regulatory Compliance
Data Security and Regulatory ComplianceData Security and Regulatory Compliance
Data Security and Regulatory Compliance
 
Hipaa for business associates simple
Hipaa for business associates simpleHipaa for business associates simple
Hipaa for business associates simple
 
Chapter 14 Managing Projects 569 A Shaky Start for Healthcare.Gov CAS.pdf
Chapter 14 Managing Projects 569 A Shaky Start for Healthcare.Gov CAS.pdfChapter 14 Managing Projects 569 A Shaky Start for Healthcare.Gov CAS.pdf
Chapter 14 Managing Projects 569 A Shaky Start for Healthcare.Gov CAS.pdf
 
I D Theft Employee Presentation2
I D Theft Employee Presentation2I D Theft Employee Presentation2
I D Theft Employee Presentation2
 
The Most Wonderful Time of the Year for Health-IT...NOT
The Most Wonderful Time of the Year for Health-IT...NOTThe Most Wonderful Time of the Year for Health-IT...NOT
The Most Wonderful Time of the Year for Health-IT...NOT
 
Business Associate Assessment, Agreement and Requirements
Business Associate Assessment, Agreement and RequirementsBusiness Associate Assessment, Agreement and Requirements
Business Associate Assessment, Agreement and Requirements
 

KĂĽrzlich hochgeladen

call girls in aerocity DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in aerocity DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️call girls in aerocity DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in aerocity DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️saminamagar
 
Let's Talk About It: To Disclose or Not to Disclose?
Let's Talk About It: To Disclose or Not to Disclose?Let's Talk About It: To Disclose or Not to Disclose?
Let's Talk About It: To Disclose or Not to Disclose?bkling
 
call girls in paharganj DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in paharganj DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️call girls in paharganj DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in paharganj DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️saminamagar
 
epilepsy and status epilepticus for undergraduate.pptx
epilepsy and status epilepticus for undergraduate.pptxepilepsy and status epilepticus for undergraduate.pptx
epilepsy and status epilepticus for undergraduate.pptxMohamed Rizk Khodair
 
PresentaciĂł "Real-Life VR Integration for Mild Cognitive Impairment Rehabilit...
PresentaciĂł "Real-Life VR Integration for Mild Cognitive Impairment Rehabilit...PresentaciĂł "Real-Life VR Integration for Mild Cognitive Impairment Rehabilit...
PresentaciĂł "Real-Life VR Integration for Mild Cognitive Impairment Rehabilit...Badalona Serveis Assistencials
 
Glomerular Filtration rate and its determinants.pptx
Glomerular Filtration rate and its determinants.pptxGlomerular Filtration rate and its determinants.pptx
Glomerular Filtration rate and its determinants.pptxDr.Nusrat Tariq
 
Culture and Health Disorders Social change.pptx
Culture and Health Disorders Social change.pptxCulture and Health Disorders Social change.pptx
Culture and Health Disorders Social change.pptxDr. Dheeraj Kumar
 
History and Development of Pharmacovigilence.pdf
History and Development of Pharmacovigilence.pdfHistory and Development of Pharmacovigilence.pdf
History and Development of Pharmacovigilence.pdfSasikiranMarri
 
METHODS OF ACQUIRING KNOWLEDGE IN NURSING.pptx by navdeep kaur
METHODS OF ACQUIRING KNOWLEDGE IN NURSING.pptx by navdeep kaurMETHODS OF ACQUIRING KNOWLEDGE IN NURSING.pptx by navdeep kaur
METHODS OF ACQUIRING KNOWLEDGE IN NURSING.pptx by navdeep kaurNavdeep Kaur
 
Glomerular Filtration and determinants of glomerular filtration .pptx
Glomerular Filtration and determinants of glomerular filtration .pptxGlomerular Filtration and determinants of glomerular filtration .pptx
Glomerular Filtration and determinants of glomerular filtration .pptxDr.Nusrat Tariq
 
PERFECT BUT PAINFUL TKR -ROLE OF SYNOVECTOMY.pptx
PERFECT BUT PAINFUL TKR -ROLE OF SYNOVECTOMY.pptxPERFECT BUT PAINFUL TKR -ROLE OF SYNOVECTOMY.pptx
PERFECT BUT PAINFUL TKR -ROLE OF SYNOVECTOMY.pptxdrashraf369
 
Primary headache and facial pain. (2024)
Primary headache and facial pain. (2024)Primary headache and facial pain. (2024)
Primary headache and facial pain. (2024)Mohamed Rizk Khodair
 
Lippincott Microcards_ Microbiology Flash Cards-LWW (2015).pdf
Lippincott Microcards_ Microbiology Flash Cards-LWW (2015).pdfLippincott Microcards_ Microbiology Flash Cards-LWW (2015).pdf
Lippincott Microcards_ Microbiology Flash Cards-LWW (2015).pdfSreeja Cherukuru
 
Music Therapy's Impact in Palliative Care| IAPCON2024| Dr. Tara Rajendran
Music Therapy's Impact in Palliative Care| IAPCON2024| Dr. Tara RajendranMusic Therapy's Impact in Palliative Care| IAPCON2024| Dr. Tara Rajendran
Music Therapy's Impact in Palliative Care| IAPCON2024| Dr. Tara RajendranTara Rajendran
 
call girls in Dwarka Sector 21 Metro DELHI 🔝 >༒9540349809 🔝 genuine Escort Se...
call girls in Dwarka Sector 21 Metro DELHI 🔝 >༒9540349809 🔝 genuine Escort Se...call girls in Dwarka Sector 21 Metro DELHI 🔝 >༒9540349809 🔝 genuine Escort Se...
call girls in Dwarka Sector 21 Metro DELHI 🔝 >༒9540349809 🔝 genuine Escort Se...saminamagar
 
Informed Consent Empowering Healthcare Decision-Making.pptx
Informed Consent Empowering Healthcare Decision-Making.pptxInformed Consent Empowering Healthcare Decision-Making.pptx
Informed Consent Empowering Healthcare Decision-Making.pptxSasikiranMarri
 
LUNG TUMORS AND ITS CLASSIFICATIONS.pdf
LUNG TUMORS AND ITS CLASSIFICATIONS.pdfLUNG TUMORS AND ITS CLASSIFICATIONS.pdf
LUNG TUMORS AND ITS CLASSIFICATIONS.pdfDolisha Warbi
 
PNEUMOTHORAX AND ITS MANAGEMENTS.pdf
PNEUMOTHORAX AND ITS MANAGEMENTS.pdfPNEUMOTHORAX AND ITS MANAGEMENTS.pdf
PNEUMOTHORAX AND ITS MANAGEMENTS.pdfDolisha Warbi
 
Case Report Peripartum Cardiomyopathy.pptx
Case Report Peripartum Cardiomyopathy.pptxCase Report Peripartum Cardiomyopathy.pptx
Case Report Peripartum Cardiomyopathy.pptxNiranjan Chavan
 

KĂĽrzlich hochgeladen (20)

call girls in aerocity DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in aerocity DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️call girls in aerocity DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in aerocity DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
 
Let's Talk About It: To Disclose or Not to Disclose?
Let's Talk About It: To Disclose or Not to Disclose?Let's Talk About It: To Disclose or Not to Disclose?
Let's Talk About It: To Disclose or Not to Disclose?
 
call girls in paharganj DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in paharganj DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️call girls in paharganj DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in paharganj DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
 
epilepsy and status epilepticus for undergraduate.pptx
epilepsy and status epilepticus for undergraduate.pptxepilepsy and status epilepticus for undergraduate.pptx
epilepsy and status epilepticus for undergraduate.pptx
 
PresentaciĂł "Real-Life VR Integration for Mild Cognitive Impairment Rehabilit...
PresentaciĂł "Real-Life VR Integration for Mild Cognitive Impairment Rehabilit...PresentaciĂł "Real-Life VR Integration for Mild Cognitive Impairment Rehabilit...
PresentaciĂł "Real-Life VR Integration for Mild Cognitive Impairment Rehabilit...
 
Glomerular Filtration rate and its determinants.pptx
Glomerular Filtration rate and its determinants.pptxGlomerular Filtration rate and its determinants.pptx
Glomerular Filtration rate and its determinants.pptx
 
Culture and Health Disorders Social change.pptx
Culture and Health Disorders Social change.pptxCulture and Health Disorders Social change.pptx
Culture and Health Disorders Social change.pptx
 
History and Development of Pharmacovigilence.pdf
History and Development of Pharmacovigilence.pdfHistory and Development of Pharmacovigilence.pdf
History and Development of Pharmacovigilence.pdf
 
METHODS OF ACQUIRING KNOWLEDGE IN NURSING.pptx by navdeep kaur
METHODS OF ACQUIRING KNOWLEDGE IN NURSING.pptx by navdeep kaurMETHODS OF ACQUIRING KNOWLEDGE IN NURSING.pptx by navdeep kaur
METHODS OF ACQUIRING KNOWLEDGE IN NURSING.pptx by navdeep kaur
 
Glomerular Filtration and determinants of glomerular filtration .pptx
Glomerular Filtration and determinants of glomerular filtration .pptxGlomerular Filtration and determinants of glomerular filtration .pptx
Glomerular Filtration and determinants of glomerular filtration .pptx
 
PERFECT BUT PAINFUL TKR -ROLE OF SYNOVECTOMY.pptx
PERFECT BUT PAINFUL TKR -ROLE OF SYNOVECTOMY.pptxPERFECT BUT PAINFUL TKR -ROLE OF SYNOVECTOMY.pptx
PERFECT BUT PAINFUL TKR -ROLE OF SYNOVECTOMY.pptx
 
Primary headache and facial pain. (2024)
Primary headache and facial pain. (2024)Primary headache and facial pain. (2024)
Primary headache and facial pain. (2024)
 
Lippincott Microcards_ Microbiology Flash Cards-LWW (2015).pdf
Lippincott Microcards_ Microbiology Flash Cards-LWW (2015).pdfLippincott Microcards_ Microbiology Flash Cards-LWW (2015).pdf
Lippincott Microcards_ Microbiology Flash Cards-LWW (2015).pdf
 
Epilepsy
EpilepsyEpilepsy
Epilepsy
 
Music Therapy's Impact in Palliative Care| IAPCON2024| Dr. Tara Rajendran
Music Therapy's Impact in Palliative Care| IAPCON2024| Dr. Tara RajendranMusic Therapy's Impact in Palliative Care| IAPCON2024| Dr. Tara Rajendran
Music Therapy's Impact in Palliative Care| IAPCON2024| Dr. Tara Rajendran
 
call girls in Dwarka Sector 21 Metro DELHI 🔝 >༒9540349809 🔝 genuine Escort Se...
call girls in Dwarka Sector 21 Metro DELHI 🔝 >༒9540349809 🔝 genuine Escort Se...call girls in Dwarka Sector 21 Metro DELHI 🔝 >༒9540349809 🔝 genuine Escort Se...
call girls in Dwarka Sector 21 Metro DELHI 🔝 >༒9540349809 🔝 genuine Escort Se...
 
Informed Consent Empowering Healthcare Decision-Making.pptx
Informed Consent Empowering Healthcare Decision-Making.pptxInformed Consent Empowering Healthcare Decision-Making.pptx
Informed Consent Empowering Healthcare Decision-Making.pptx
 
LUNG TUMORS AND ITS CLASSIFICATIONS.pdf
LUNG TUMORS AND ITS CLASSIFICATIONS.pdfLUNG TUMORS AND ITS CLASSIFICATIONS.pdf
LUNG TUMORS AND ITS CLASSIFICATIONS.pdf
 
PNEUMOTHORAX AND ITS MANAGEMENTS.pdf
PNEUMOTHORAX AND ITS MANAGEMENTS.pdfPNEUMOTHORAX AND ITS MANAGEMENTS.pdf
PNEUMOTHORAX AND ITS MANAGEMENTS.pdf
 
Case Report Peripartum Cardiomyopathy.pptx
Case Report Peripartum Cardiomyopathy.pptxCase Report Peripartum Cardiomyopathy.pptx
Case Report Peripartum Cardiomyopathy.pptx
 

HIPAA Privacy, Security, Breach Overview

  • 1. Don’t Get Hit by the HIPAA Omnibus: Are You Ready for Sept 23?
  • 2. Disclaimers The material in this presentation and/or any remarks made by HealthCare Too, LLC personnel are NOT meant to provide legal advice or counsel. We intend this session to provide you with highlights of the new HIPAA Omnibus for your edification and for your own use at your own professional discretion. 8/6/13HealthCareToo,LLCProprietary 2
  • 3. Scope 45 CFR Parts 160 and 164 Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act Or “The HIPAA Omnibus” was 138 pages when released on Jan 25, 2013. This presentation introduces several major changes at a high level but does not present all changes. 8/6/13HealthCareToo,LLCProprietary 3
  • 4. Your Presenters • Tim Perry, MPA, CHTS-IS • Chief Information Officer, HealthCare Too, LLC • 25+ years of Health Information Technology and Compliance experience • Chief Technology Officer, Ecommerce, LLC (Cloud & Hosting) • Senior Vice President of Infrastructure Services, Reed Elsevier • Global IT Director, Johnson & Johnson • Consulting engagements at SmithKline Beecham, Merck • Education • Master of Technology Management, Univ of Pennsylvania • Master of Public Administration, The Ohio State University • Bachelor of Arts, The Ohio State University 8/6/13HealthCareToo,LLCProprietary 4
  • 6. What’s in a Name? • Mega Rule • Omnibus • Final Rule 8/6/13HealthCareToo,LLCProprietary 6
  • 7. Protected Health Information (PHI) 8/6/13HealthCareToo,LLCProprietary Individually identifiable Health Information List of 18 Identifiers • Names • All geographic subdivisions smaller than state • All elements of dates except year • Phone numbers • Fax numbers • Electronic mail addresses • Social Security numbers • Medical record numbers • Health plan beneficiary numbers • Account numbers • Certificate/license numbers • Vehicle identifiers and serial numbers • Device identifiers and serial numbers; • Web Universal Resource Locators (URLs); • Internet Protocol (IP) address numbers; • Biometric identifiers • Full face photographic images • Any other unique identifying number Health information means any information, including genetic information, whether oral or recorded in any form or medium, that: (1) Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and (2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual. 7
  • 8. 8/6/13HealthCareToo,LLCProprietary 8 “Some Incident” Breach [A]cquisition, access, use, or disclosure of protected health information in a manner not permitted Risk Assessment Document & Done No Breach OCR Agreement for Corrective Action, Settlement, or Formal Finding and Fine Breach Verified Complaint A person who believes a covered entity or business associate is not complying with the administrative simplification provisions may file a complaint with the Secretary OCR Intake / Review Document & Done No Violation Possible Violation OCR Investigation Document & Done No Violation Violation Found [F]ailure to comply with an administrative simplification provision.
  • 10. Leon Rodriguez “I am the first Director of the Office of Civil Rights to come to the Office with experience, extensive experience, both in law enforcement and a healthcare provider lawyer and its my commitment to ramp up the enforcement of the Office.” 8/6/13HealthCareToo,LLCProprietary Oral Testimony to Senate Judiciary Subcommittee on Privacy, Technology, and Law “Your Health and Your Privacy: Protecting Health Information in a Digital World.”, Nov 2, 2011. 10
  • 12. Reported 500+ Breaches in OH 8/6/13HealthCareToo,LLCProprietary 12 Patients Affected Date of Breach Type of Breach Location of Breach 60998 3/27/10 Theft Laptop 1001 4/22/10 Unauthorized Access/Disclosure Email 1200 6/13/10 Improper Disposal Paper 1309 6/11/10 Loss Laptop 13867 6/7/10 Theft Laptop 2123 7/29/10 Improper Disposal Paper 1000 11/15/10 Improper Disposal Paper 501 11/5/10 Theft Laptop, Computer 78,042 6/3/11 Theft Laptop 500 10/1/10 Improper Disposal Other (X-ray film) 15,000 10/01/2010 - 03/21/2012 Unauthorized Access/Disclosure Other 15000 10/1/2010 - 03/21/2012 Unauthorized Access/Disclosure Other 850 12/2/12 Theft Laptop, Network Server 2500 3/19/13 Theft Other 500 04/14/2013 - 04/19/2013 Loss Laptop 2203 5/29/13 Other Paper 78542 TOTAL
  • 13. Notable Settlements Entity Amount Year WellPoint, Inc. (unattended weaknesses in online database) $1.7 million July 2013 Walgreens (pharmacist looked up a woman’s history) $1.44 million July 2013 MN AG & Accretive Health (started from July 2011 lost laptop) $2.5 million July 2013 Shasta Regional Med Center (disclosure of patient info to Media) $275,000 June 2013 Idaho State University (left a firewall down for 10 mos after maint) $400,000 May 2013 Goldthwait Associates & 4 Pathology Groups MA Attorney General (disposed of patient data at dump) $140,000 January 2013 8/6/13HealthCareToo,LLCProprietary 13
  • 14. Compliance Deadline Omnibus HIPAA Final Rule • Published in Federal Register – January 25, 2013 • Effective Date – March 26, 2013 • Compliance Date – September 23, 2013 • Transition Period to Conform BA Contracts – Up to September 22, 2014, for Qualifying Contracts 8/6/13HealthCareToo,LLCProprietary 14
  • 15. Covered Entities, Business Associates, and Subcontractors, Oh My! 8/6/13HealthCareToo,LLCProprietary 15
  • 16. “Covered Entity” • (1) A health plan. • (2) A health care clearinghouse. • (3) A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter. • Note: if an electronic transaction is made on a provider’s behalf… it is considered the provider’s 8/6/13HealthCareToo,LLCProprietary 16
  • 17. “Business Associate” What it says What it means “functions, activities or services on behalf of covered entities” “Create, receive, maintain, or transmit PHI” An employee of a CE is NOT a BA. Clarifies definition of BA to include: • Patient Safety Organizations, • Health Information Exchanges, • Personal Health Records Must have BAA in place Clarification that BAs are liable whether or not they have an agreement in place with the CE . (Marissa Gordon-Nguyen, JD, MPH Office for Civil Rights) 8/6/13HealthCareToo,LLCProprietary 17
  • 18. “Subcontractors” What it says What it means "a person to whom a business associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of such business associate." (45 CFR 160.103) "under the final rule, covered entities must ensure that they obtain satisfactory assurances required by the Rules from their BAs, and BAs must do the same with regard to subcontractors, and so on, no matter how far 'down the chain' the information flows." Subcontractors are BAs: • Subject to HIPAA provisions • Directly liable for HIPAA violations • BA must have BAA with every subcontractor • Subcontractor must have BAA with its subcontractors, who are also BAs 8/6/13HealthCareToo,LLCProprietary 18
  • 19. Agency • Covered Entities can be held liable for the violations caused by their Business Associates. • Business Associates can be held liable for the violations caused by their sub-contractors. • Federal common law of Agency will govern whether an agency relationship exists between the parties - regardless of what the contract actually says. (WEDI presentation by Joseph R. McClure, Esq. Legal Counsel, Siemens Medical Solutions USA WEDI Privacy & Security Co-Chair) 8/6/13HealthCareToo,LLCProprietary 19
  • 20. Your PHI Ecosystem is Explicit 8/6/13HealthCareToo,LLCProprietary 20
  • 21. 8/6/13HealthCareToo,LLCProprietary 21 1 – 2 million ? ??? Never directly liable for HIPAA… until now.
  • 22. 8/6/13HealthCareToo,LLCProprietary WEDI Privacy & Security Workgroup, Business Associate Sub-Workgroup 22
  • 23. 8/6/13HealthCareToo,LLCProprietary WEDI Privacy & Security Workgroup, Business Associate Sub-Workgroup 23
  • 24. Typical BA Functions (Again) • Claims processing or administration • Data analysis, processing or administration • Utilization review • Quality assurance billing • Benefit management • Practice management • Repricing 8/6/13HealthCareToo,LLCProprietary • Data Storage / Hosting • Legal • Actuarial • Accounting • Consulting • Data aggregation • Management • Administrative • Accreditation • Financial 24
  • 25. Business Associates Must: 1. Comply with the HIPAA Security Rule 2. Report to Covered Entity any breach of unsecured PHI 3. Enter into BAAs with subcontractors imposing the same obligations that apply to the Business Associate 4. Comply with the HIPAA Privacy Rule to the extent Business Associate is carrying out a Covered Entity’s Privacy Rule obligations 8/6/13HealthCareToo,LLCProprietary (WEDI presentation by Joseph R. McClure, Esq. Legal Counsel, Siemens Medical Solutions USA WEDI Privacy & Security Co-Chair) 25
  • 26. Breach Unauthorized acquisition, access, use or disclosure that compromises the security or privacy of the protected health information such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual. 8/6/13HealthCareToo,LLCProprietary 26
  • 27. Four-Factor PHI Breach Assessment 1. Nature and extent of PHI involved 2. Unauthorized person who used PHI or to whom disclosure was made 3. Whether PHI was actually acquired or viewed 4. Extent to which risk to PHI has been mitigated 8/6/13HealthCareToo,LLCProprietary “Guilty until proven innocent” Breach is now presumed 27
  • 28. Breach Notification Less Than 500 Patient Records 500+ Patient Records Individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach Notify HHS on an annual basis. Individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach Notify the Secretary without unreasonable delay and in no case later than 60 days following a breach. Provide notice to prominent media outlets serving the State or jurisdiction 8/6/13HealthCareToo,LLCProprietary HHS provides “safe harbor” for PHI that is encrypted or properly disposed of in keeping with early guidance. Note: When you notify of a breach, you are self-reporting a HIPAA violation and should make your counsel aware as well as conduct a new risk analysis with corrective actions. 28
  • 29. 8/6/13HealthCareToo,LLCProprietary Breach Discovered Risk Assessment 1. Nature and extent of PHI involved 2. Unauthorized person who used PHI or to whom disclosure was made 3. Whether PHI was actually acquired or viewed 4. Extent to which risk to PHI has been mitigated Document & Done No Breach Less Than 500? Notify Individuals Notify HHS Annually Notify Individuals Notify HHS w/i 60 days Notify Media Breach Yes No 29
  • 30. Where? • Privacy Rule applies to any form of PHI • It’s about disclosures • Security Rule applies to electronic forms of PHI • Desktop • Laptop • Tablet Computer • Smart Phone • Cloud • USB “thumb drive” • CD / DVD • Floppy disk (if those even still exist) • …. 8/6/13HealthCareToo,LLCProprietary 30
  • 31. Greater Use of Health Information Technology 8/6/13HealthCareToo,LLCProprietary 31
  • 33. 8/6/13HealthCareToo,LLCProprietary The Size of the Issue…. 2 Kilobytes: A Typewritten page 1 Megabyte: A small novel 1 Gigabyte: A pickup truck filled with paper 1 Terabyte is 50,000 trees made into paper and printed 1 Petabyte of music would take ~2,000 years to play 1 Exabyte: 100,000X the printed material in the Lib of Congress 1 Zettabyte: ~62 Billion iPhones (stacked would pass the moon) http://highscalability.com/blog/2012/9/11/how-big-is-a-petabyte-exabyte-zettabyte-or-a-yottabyte.html To store a Yottabyte on terabyte sized hard drives would require a million city block size data-centers… as big as the states of Delaware and Rhode Island http://en.wikipedia.org/
  • 34. Privacy Rule Privacy Rule Covered Entity • Marketing & Fundraising • Sale of protected health information (PHI) • Right to request restrictions • Electronic access for patient • Delegates • Genetic info for underwriting prohibited • Immunization records with parent approval • Decedent PHI protected for 50 years Business Associate BAA at least as strict as CE Subcontractor BAA at least as strict as BA 8/6/13HealthCareToo,LLCProprietary 34
  • 36. Security Rule: Phys Safeguards Required Addressable Workstation Use (R) Workstation Security (R) Disposal (R) Media Re-use (R) Contingency Operations (A) Facility Security Plan (A) Access Control and Validation Procedures (A) Maintenance Records (A) Accountability (A) Data Backup and Storage (A) 8/6/13HealthCareToo,LLCProprietary 36 Applies to: Covered Entity, Business Associates, and Subcontractors
  • 37. Security Rule: Admin Safeguards Required Addressable Risk Analysis (R) Risk Management (R) Sanction Policy (R) Information System Activity Review (R) Assigned Security Responsibility (R) Isolating Health Care Clearinghouse Function (R) Response and Reporting (R) Data Backup Plan (R) Disaster Recovery Plan (R) Emergency Mode Operation Plan (R) Evaluation (R) Written Contract or Other Arrangement (R) Authorization and/or Supervision (A) Workforce Clearance Procedure (A) Termination Procedures (A) Access Authorization (A) Access Establishment and Modification (A) Security Reminders (A) Protection from Malicious Software (A) Log-in Monitoring (A) Password Management (A) Testing and Revision Procedure (A) Applications and Data Criticality Analysis (A) 8/6/13HealthCareToo,LLCProprietary 37 Applies to: Covered Entity, Business Associates, and Subcontractors
  • 38. Security Rule: Tech Safeguards Required Addressable Unique User Identification (R) Emergency Access Procedure (R) Audit Controls (R) Person or Entity Authentication (R) Automatic Logoff (A) Encryption and Decryption (A) Mechanism to Authenticate Electronic PHI (A) Integrity Controls (A) Encryption (A) 8/6/13HealthCareToo,LLCProprietary 38 Applies to: Covered Entity, Business Associates, and Subcontractors
  • 39. Security Rule: Org Reqmnts Required Addressable Business Associate Contracts (R) Group Health Plans (R) Documentation Time Limit (R) Availability (R) Updates (R) 8/6/13HealthCareToo,LLCProprietary 39 Applies to: Covered Entity, Business Associates, and Subcontractors
  • 41. 8/6/13HealthCareToo,LLCProprietary 41 For example, a data storage company that has access to protected health information (whether digital or hard copy) qualifies as a business associate, even if the entity does not view the information or only does so on a random or infrequent basis. -HIPAA Omnibus If I Store Data Online Does HIPAA Apply to the Hoster?
  • 42. What’s Your Hosting Service? 8/6/13HealthCareToo,LLCProprietary 42 Shared Dedicated Medical-grade Cloud Price ~$7.95/month ~$50+ / month ~$300+ / month BA Agreement Violation? Violation? Risk Analysis Violation? Violation? 24 X 7 Monitoring Violation? Violation? Encryption Violation? Violation? Audit Logs Violation? Violation? Monthly Report Violation? Violation? DR Plan Violation? Violation? Data Backup Violation? Violation? Disposal Policy Violation? Violation? Unique User ID Violation? Violation? AND MUCH, MUCH, MUCH MORE
  • 43. Fine Structure 8/6/13HealthCareToo,LLCProprietary Violation Category Per Violation Per Calendar Year Did Not Know $100 - $50,000 $1,500,000 Reasonable Cause $1,000 - $50,000 $1,500,000 Willful Neglect – Corrected $10,000 - $50,000 $1,500,000 Willful Neglect – Not Corrected $50,000 $1,500,000 43
  • 44. Last year we had a $1.5M settlement with BCBS TN that had 57 hard drives stolen from a storage facility. The citation that drove the penalty was NOT the breach. Rather, the penalty was applied because of the failure to implement appropriate administrative safeguards, not performing a risk assessment, and failure to implement access controls for physical safeguards. They could have turned that storage facility into Fort Knox, and it might have still been breached. But the problem was they didn’t implement any preventive policies or procedures or appropriate administrative or physical safeguards. This is a great example of the lack of ongoing attention to compliance. 8/6/13HealthCareToo,LLCProprietary HIPAA in a HITECH World: HIPAA Violations on the Rise, According to Director of OCR Posted on March 22, 2013 by April Sage Leon Rodriguez, Director Office for Civil Rights 44
  • 45. Another Real Life Example Breach of less than 500 patients' PHI • Hospice of North Idaho fined $50,000 • Unencrypted laptop was stolen from an employee's car. • OCR found that HONI (1) did not conduct a risk analysis to safeguard ePHI and (2) did not have policies/procedures in place to address mobile device security. 8/6/13HealthCareToo,LLCProprietary 45
  • 46. Patient Rights over PHI What it says What it means In this final rule, we strengthen an individual’s right to receive an electronic copy of his or her protected health information. The final rule requires that a covered health care provider agree in most cases to an individual’s request to restrict disclosure to a health plan of the individual’s protected health information that pertains to a health care service for which the individual has paid the health care provider in full out of pocket. If you use an EHR, you must provide an e-copy of PHI to patients upon request, within timeframe and costs of Final Rule. Patients may pay for treatment and ask provider to withhold PHI from insurer. 8/6/13HealthCareToo,LLCProprietary 46
  • 47. Street Value of Medical Records A thief downloading and stealing data can get $50 on the street for a medical identification number compared to just $1 for a Social Security number. For those receiving the medical ID number and using it to defraud a health care organization, the average payout is more than $20,000,” according to Pam Dixon, executive director of the World Privacy Forum. "Compare that to just $2,000 for the average payout for regular ID theft. 8/6/13HealthCareToo,LLCProprietary “Protected Health Information (PHI): High Value to Hackers: Medical Facilities at Risk”, http://www.prweb.com/releases/2013/2/prweb10412883.htm 47
  • 48. 8/6/13HealthCareToo,LLCProprietary Value of Protected Health Information Big Data / Internet of Things Aging US Pop Gene Data EHRs / HIEs Social Nets / PHRs Cyber Crimes Data GovernanceNon-compliance
  • 49. Resources • Jan 17, 2013 New Release on Omnibus http://www.hhs.gov/news/press/2013pres/01/20130117 b.html • Poyner Spruill Summary of HIPAA Omnibus http://www.poynerspruill.com/publications/Pages/sum maryofNewHIPAARules.aspx • Health Information Privacy http://www.hhs.gov/ocr/privacy/hipaa/understanding/in dex.html • Enforcement Examples http://www.hhs.gov/ocr/privacy/hipaa/enforcement/exa mples/index.html • HHS “Wall of Shame” http://www.hhs.gov/ocr/privacy/hipaa/administrative/br eachnotificationrule/breachtool.html 8/6/13HealthCareToo,LLCProprietary 49