Office of Health, Safety and Security

Slides:



Advertisements
Similar presentations
A Guide to Compliant Data Management
Advertisements

Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.
HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.
HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.
Overview of the Privacy Act
Gaucho Round-Up FAQ’s This presentation covers some of the FAQ’s about campus clean-up day. Presentation #4 2/3/
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.
HIPAA Basic Training for Privacy & Information Security Vanderbilt University Medical Center VUMC HIPAA Website:
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
WORKFORCE CONFIDENTIALITY HIPAA Reminders. HIPAA 101 The Health Insurance Portability and Accountability Act (HIPAA) protects patient privacy. HIPAA is.
1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.
Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.
NAU HIPAA Awareness Training
HIPAA Regulations What do you need to know?.
 The Health Insurance Portability and Accountability Act of  Federal Law designed to protect sensitive information.  HIPAA violations are enforced.
Protecting Personal Information Guidance for Business.
FAIR AND ACCURATE CREDIT TRANSACTIONS ACT (FACTA)- RED FLAG RULES University of Washington Red Flag Rules Protecting Against Identity Fraud.
PRIVACY BREACHES A “breach of the security of the system”: –Is the “unauthorized acquisition of computerized data that compromises the security, confidentiality,
RMG:Red Flags Rule 1 Regal Medical Group Red Flags Rule Identify Theft Training.
SAFEGUARDING DHS CLIENT DATA PART 2 SAFEGUARDING PHI AND HIPAA Safeguards must: Protect PHI from accidental or intentional unauthorized use/disclosure.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
The Privacy Office U.S. Department of Homeland Security Washington, DC t: ; f: Safeguarding.
Data Classification & Privacy Inventory Workshop
DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,
HIPAA What’s Said Here – Stays Here…. WHAT IS HIPAA  Health Insurance Portability and Accountability Act  Purpose is to protect clients (patients)
HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.
HIPAA Basic Training for Privacy and Information Security Vanderbilt University Medical Center VUMC HIPAA Website: HIPAA Basic.
HIPAA Privacy & Security EVMS Health Services 2004 Training.
Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.
** Deckplate training for Navy Sailors **.  On Thursday, 9 July, the Office of Personnel Management (OPM) announced a cyber incident exposed the federal.
PRIVACY SAFEGUARDS ANNUAL TRAINING FY 2011 previous next Office of Management Privacy, Information and Records Management Services Privacy Safeguards Division.
HIPAA PRIVACY AND SECURITY AWARENESS.
Confidentiality, Consents and Disclosure Recent Legal Changes and Current Issues Presented by Pam Beach, Attorney at Law.
HQ Expectations of DOE Site IRBs Reporting Unanticipated Problems and Review/Approval of Projects that Use Personally Identifiable Information Libby White.
PRIVACY AND INFORMATION SECURITY ESSENTIALS Information Security Policy Essentials Melissa Short, IT Specialist Office of Cyber Security- Policy.
Ames Laboratory Privacy and Personally Identifiable Information (PII) Training Welcome to the Ames Laboratory’s training on Personally Identifiable Information.
LAW SEMINARS INTERNATIONAL CLOUD COMPUTING: LAW, RISKS AND OPPORTUNITIES Developing Effective Strategies for Compliance With the HITECH Act and HIPAA’s.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Arkansas State Law Which Governs Sensitive Information…… Part 3B
Family Educational Rights and Privacy Act. From the moment a child enters the school system, sensitive information is collected about the child (and even.
PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, WITH THANKS TO.
FIRMA April 2010 DATA BREACHES & PRIVACY Christine M. Farquhar Managing Director, Compliance J.P. Morgan U.S. Private Banking.
HITECH and HIPAA Presented by Rhonda Anderson, RHIA Anderson Health Information Systems, Inc
A Road Map to Research at Jefferson: HIPAA Privacy and Security Rules for Researchers Presented By: Privacy Officer/Office of Legal Counsel October 2015.
Privacy Act United States Army (Managerial Training)
Personal data protection in research projects
Safeguarding Sensitive Information. Agenda Overview Why are we here? Roles and responsibilities Information Security Guidelines Our Obligation Has This.
FOIA Processing and Privacy Awareness at NOAA Prepared by Mark H. Graff NOAA FOIA Officer OCIO/GPD (301)
HIPAA TRIVIA Do you know HIPAA?. HIPAA was created by?  The Affordable Care Act  Health Insurance companies  United States Congress  United States.
HIPAA Training. What information is considered PHI (Protected Health Information)  Dates- Birthdays, Dates of Admission and Discharge, Date of Death.
The Health Insurance Portability and Accountability Act (HIPAA) requires Plumas County to train all employees in covered departments about the County’s.
HIPAA: So You Think You’re Compliant September 1, 2011 Carolyn Heyman-Layne, J.D.
Data Breach ALICAP, the District Insurance Provider, is Now Offering Data Breach Coverage as Part of Our Blanket Coverage Package 1.
POLICIES & PROCEDURES FOR HANDLING CONFIDENTIAL INFORMATION NOVEMBER 5 TH 2015.
Properly Safeguarding Personally Identifiable Information (PII) Ticket Program Manager (TPM) Social Security’s Ticket to Work Program.
HIPAA Privacy and Security
Protecting PHI & PII 12/30/2017 6:45 AM
Protection of CONSUMER information
Office of Health, Safety and Security
HIPPA/HITECH Act Requirements Under the Business Associate Agreement Between CNI and Military Health Services.
FOIA, Privacy & Records Management Conference 2009
Red Flags Rule An Introduction County College of Morris
DATA BREACHES & PRIVACY Christine M
Clemson University Red Flags Rule Training
The Health Insurance Portability and Accountability Act
HQ Expectations of DOE Site IRBs
Colorado “Protections For Consumer Data Privacy” Law
Presentation transcript:

Office of Health, Safety and Security HSS Office of Health, Safety and Security Overview of Personally Identifiable Information (PII) Protection Requirements May 7, 2009 Ray Holmer, Director Office of Information Management Office of Resource Management Office of Health, Safety, and Security U.S. Department of Energy

Office of Health, Safety and Security Agenda HSS Office of Health, Safety and Security Policies and Regulations Definition of PII Applicability Reporting Requirements Internal Actions / Requirements Liabilities Questions

Policies and Regulations HSS Office of Health, Safety and Security Privacy Act of 1974 Federal Information Security Management Act (FISMA) of 2002 Health Insurance Portability and Accountability Act (HIPAA) Office of Management and Budget (OMB) Memorandum (M) 07-16, “Safeguarding Against and Responding to Breaches of Personally Identifiable Information.” DOE O 206.1 “Department of Energy Privacy Program” DOE M 205.1-8 “Cyber Security Incident Management Manual”

Policies and Regulations HSS Office of Health, Safety and Security All DOE systems (paper based and IT based) and data collections / repositories required to have a: Privacy Impact Assessment that details the data collection and the measures and controls governing the protection and release of that data System of Records Notice (SORN) that defines the data collection and details the uses of the data and the purposes and to whom the data can be released. Some examples of SORNs covering PII are: DOE-43, “Personal Security Clearance Files” DOE-51, “Employee and Visitor Access Control Records” covers access control records and badge systems (paper and IT) DOE–63, ‘‘Personal Identity Verification (PIV) Files’’ covers records generated or used in conjunction with HSPD-12

Office of Health, Safety and Security Definition of PII HSS Office of Health, Safety and Security Any information maintained by the Department about an individual, including but not limited to, education, financial transactions, medical history and criminal or employment history, and information that can be used to distinguish or trace an individual’s identity, such as his/her name, social security number, date and place of birth, mother’s maiden name, biometric data, etc., and including any other personal information that is linked or linkable to a specific individual.

Office of Health, Safety and Security Definition of PII HSS Office of Health, Safety and Security Examples of PII When associated with an Individual: Social Security Number Date and Place of Birth Credit Card Numbers Bank Accounts Mothers Maiden Name Biometric Data Medical History / Work Exposure History Criminal and Employment History Social Security Number by itself

Office of Health, Safety and Security Applicability HSS Office of Health, Safety and Security This concerns actions to address data breaches of personally identifiable information (PII) that is collected, processed or maintained by DOE. Data includes but is not limited to PII that is stored on paper records, stored and/or transmitted through DOE computer systems, and sensitive data owned by DOE that is properly stored on non-DOE computer systems. Applies to DOE and DOE contractors, to include HSS Cooperative Agreement Organizations

Reporting Requirements HSS Office of Health, Safety and Security Types of breaches that must be reported include, but are not limited to the following: loss of control of employee information consisting of names and social security numbers (including temporary loss of control); loss of control of Department credit card holder information; loss of control of PII pertaining to the public; loss of control of security information (e.g., logons, passwords, etc.); incorrect delivery of sensitive PII; theft of PII; and unauthorized access to PII stored on Department operated web sites.

Reporting Requirements HSS Office of Health, Safety and Security PII Breaches must be reported within immediately upon of discovery – Applies to all media including paper, computer and electronic media Reports of PII breaches will be transmitted via the DOE Cyber Incident Response Capability (DOE-CIRC) in accordance with applicable Deputy Secretary or Under Secretary policies and procedures. Immediate notifications are required to the HSS Federal Program lead and to the HSS Office of Resource Management / Office of Information Management Within one hour of receiving the PII breach report, the DOE-CIRC will notify the U.S. Computer Emergency Response Team (US CERT) of the breach, as set forth in OMB Directive 06-19 and in accordance with current incident reporting processes. Additionally, the DOE-CIRC will notify the Department’s Senior Agency Official for Privacy and other senior officials in accordance with current procedures Additional Notifications by HSS will include DOE Senior Management Office of Management and Budget House and Senate Committees Other Government Agencies with an equity

Internal Actions Requirements HSS Office of Health, Safety and Security Program Offices are responsible for compiling a report that contains: a brief description of what happened, including the dates of the data breach and of its discovery, if known; a description of the personnel information that was involved (e.g., full name, social security number, date of birth, home address, account numbers, etc.); a brief description of actions taken by the Department to investigate, mitigate losses and protect against any further breach of data; contact procedures to ask further questions or learn additional information, including a toll-free telephone number, email address, web site, and/or postal address; steps that individuals should take to protect themselves from the risk of identity theft, including steps to obtain fraud alerts, if appropriate, and instructions for obtaining other credit protection services (NOTE: Alerts may include key changes to fraud reports and on-demand personal access to credit reports and scores); and a statement of whether the information was encrypted or protected by other means, when it is determined such information would be beneficial and would not compromise the security of any Departmental systems.

Internal Actions Requirements HSS Office of Health, Safety and Security Risk Analysis / DOE Privacy Impact Response Team (PIRT) the nature and content of the data (e.g., the data elements involved, such as name, social security number and/or date of birth, etc.); the ability of an unauthorized party to use the data, either by itself or in conjunction with other data or applications generally available, to commit identity theft or otherwise misuse the data to the disadvantage of the record subjects; ease of logical data access to the data given the degree of protection for the data (e.g., unencrypted, plain text, etc.); ease of physical access to the data (e.g., the degree to which the data is readily available to unauthorized access); evidence indicating that the data may have been the target of unlawful acquisition; evidence that the same or similar data had been acquired from other sources improperly and used for identity theft; whether notification to affected individuals through the most expeditious means available is warranted; and whether further review and identification of systematic vulnerabilities or weaknesses and preventive measures are warranted.

Office of Health, Safety and Security Liabilities HSS Office of Health, Safety and Security The Department or Program Office may be responsible for: Providing credit monitoring service for 1 year Legal fees of individuals whose PII was lost / stolen Civil Law Suits Criminal Prosecution (negligence)

Office of Health, Safety and Security HIPAA HSS Office of Health, Safety and Security Requirements for the Protection of PHI similar to PII: Health and Human Services (HHS) drafting additional regulation as a result of recent update to HIPAA New regulations expands coverage beyond medical community (lawyers, accountants / billers) Protection of information from unauthorized access or disclosure Recommend the use of encryption to protect data at rest and data in transit Look for HIPAA compliant software or FIPS 140-2 compliant software Only release data when appropriate for the individual to do their job.

Understanding & Safeguarding PII HSS Office of Health, Safety and Security Loss of PII: Can lead to identity theft (which is costly to the individual and to the Government); Can result in adverse actions being taken against the employee who loses PII; Can erode confidence in the Government’s ability to protect personal information.

Safeguarding & Handling PII – The Do’s HSS Office of Health, Safety and Security Safeguarding & Handling PII – The Do’s DO make sure all personal data is marked “FOR OFFICIAL USE ONLY” or “PRIVACY DATA” DO report any loss or unauthorized disclosure of personal data to your supervisor, program manager, Information System Security Manager, or Privacy Act Officer Do report any suspected security violation or poor security practices relating to personal data DO lock up all notes, documents, removable media, laptops and other materials containing personal data when not in use

Safeguarding & Handling PII – The Do’s HSS Office of Health, Safety and Security Safeguarding & Handling PII – The Do’s DO log off, turn off, or lock your computer whenever you leave your desk DO protect personal data from unauthorized use DO encrypt personal data sent via email DO destroy personal data via shredder when no longer needed and retention is not required DO be conscious of your surroundings when discussing personal data—protecting verbal communication with the same heightened awareness as you would paper or electronic data

Safeguarding & Handling PII – The Don’ts HSS Office of Health, Safety and Security Safeguarding & Handling PII – The Don’ts DON’T leave personal data unattended DON’T take personal data home, in either paper or electronic format, without written permission of your manager or other official, as required DON’T discuss or entrust personal data to individuals who do not have a need to know DON’T discuss personal data on wireless or cordless phones (unless absolutely necessary) DON’T put personal data in the body of an email, rather password-protect it as an attachment DON’T dispose of personal data in recycling bins or regular trash unless it has first been shredded

Safeguarding & Handling PII HSS Office of Health, Safety and Security Safeguarding & Handling PII Review business and programmatic processes within your areas and eliminate all unnecessary collection of PII If you aren’t going to use it, don’t collect it Report all mishandling of PII, i.e. unencrypted e-mail, unencrypted files Use software or hardware encryption methods Look for FIPS 140-2 compliance and / or HIPAA compliance There is no conflict between the Privacy Act and HIPAA

Office of Health, Safety and Security Questions HSS Office of Health, Safety and Security Questions ?? Contact Information Raymond.Holmer@HQ.DOE.GOV Telephone 301-903-7325

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.