© 2010-12 Clearwater Compliance LLC | All Rights Reserved Copyright Notice 1 Copyright Notice. All materials contained within this document are protected.

Slides:



Advertisements
Similar presentations
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Advertisements

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.
“Reaching across Arizona to provide comprehensive quality health care for those in need” Our first care is your health care Arizona Health Care Cost Containment.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.
Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
HIPAA CHANGES: HITECH ACT AND BREACH NOTIFICATION RULES February 3, 2010 Kristen L. Gentry, Esq. Catherine M. Stowers, Esq.
Where to start Ben Burton, JD, MBA, RHIA, CHP, CHC.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
HIPAA Regulations What do you need to know?.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
2014 HIPAA Refresher Omnibus Rule & HIPAA Security.
Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.
Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.
Privacy, Security, Confidentiality, and Legal Issues
© Clearwater Compliance LLC | All Rights Reserved Copyright Notice 1 Copyright Notice. All materials contained within this document are protected by United.
© Clearwater Compliance LLC | All Rights Reserved Copyright Notice 1 Copyright Notice. All materials contained within this document are protected by United.
March 19, 2009 Changes to HIPAA Privacy and Security Requirements Joel T. Kopperud Scott A. Sinder Rhonda M. Bolton.
© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,
Security Controls – What Works
Beyond HIPAA, Protecting Data Key Points from the HIPAA Security Rule.
HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.
COMPLYING WITH HIPAA BUSINESS ASSOCIATE REQUIREMENTS Quick, Cost Effective Solutions for HIPAA Compliance: Business Associate Agreements.
1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
4/20/2017 Copyright Notice Copyright Notice. All materials contained within this document are protected by United States copyright law and may not be.
© Clearwater Compliance LLC | All Rights Reserved Copyright Notice Copyright Notice. All materials contained within this document are protected by United.
HIPAA PRIVACY AND SECURITY AWARENESS.
“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.
LAW SEMINARS INTERNATIONAL CLOUD COMPUTING: LAW, RISKS AND OPPORTUNITIES Developing Effective Strategies for Compliance With the HITECH Act and HIPAA’s.
Privacy and Security Laws for Health Care Organizations Presented by Robert J. Scott Scott & Scott, LLP
Copyright ©2011 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved. Health Information Technology and Management Richard.
2012 Audits of Covered Entity Compliance with HIPAA Privacy, Security and Breach Notification Rules Initial Analysis February 2013.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Privacy and Security Risks to Rural Hospitals John Hoyt, Partner December 6, 2013.
LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.
Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 6 The Privacy and Security of Electronic Health Information.
Eliza de Guzman HTM 520 Health Information Exchange.
A PRACTICAL GUIDE TO RESPONDING TO A HEALTHCARE DATA SECURITY BREACH May 19, 2011 | State College, PA Matthew H. Meade Stephanie Winer-Schreiber.
MU and HIPAA Compliance 101 Robert Morris VP Business Services Ion IT Group, Inc
PricewaterhouseCoopers 1 Administrative Simplification: Privacy Audioconference April 14, 2003 William R. Braithwaite, MD, PhD “Doctor HIPAA” HIPAA Today.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
HIPAA BASIC TRAINING Presented by Anderson Health Information Systems, Inc.
The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,
© Clearwater Compliance LLC | All Rights Reserved Copyright Notice 1 Copyright Notice. All materials contained within this document are protected by United.
HealthBridge is one of the nation’s largest and most successful health information exchange organizations. Tri-State REC: Privacy and Security Issues for.
Copyright ©2014 by Saunders, an imprint of Elsevier Inc. All rights reserved 1 Chapter 02 Compliance, Privacy, Fraud, and Abuse in Insurance Billing Insurance.
HITECH and HIPAA Presented by Rhonda Anderson, RHIA Anderson Health Information Systems, Inc
A Road Map to Research at Jefferson: HIPAA Privacy and Security Rules for Researchers Presented By: Privacy Officer/Office of Legal Counsel October 2015.
Lessons Learned from Recent HIPAA Breaches HHS Office for Civil Rights.
Western Asset Protection
HIPAA Security Final Rule Overview
Top 10 Series Changes to HIPAA Devon Bernard AOPA Reimbursement Services Coordinator.
Configuring Electronic Health Records Privacy and Security in the US Lecture b This material (Comp11_Unit7b) was developed by Oregon Health & Science University.
CYBERSECURITY: RISK AND LIABILITY March 2, 2016 Joshua A. Mooney Co-chair-Cyber Law and Data Protection White and Williams LLP (215)
COMMUNITY-WIDE HEALTH INFORMATION EXCHANGE: HIPAA PRIVACY AND SECURITY ISSUES Ninth National HIPAA Summit September 14, 2004 Prepared by: Robert Belfort,
PHASE II OF HIPAA AUDIT PROGRAM June 2016 Presented by John P. Murdoch II, Esq. of Wilentz, Goldman & Spitzer, P.A. Two Industrial Way West Two Industrial.
Health Insurance Portability and Accountability Act of 1996
Enforcement, Business Associates and Breach Notification. Oh my!
Modified Stage 2 Meaningful Use: Objective #1 – Protect Electronic Health Information July 5, 2016 Today’s presenter: Al Wroblewski, PCMH CCE, Client.
Disability Services Agencies Briefing On HIPAA
HIPAA Privacy and Security Summit 2018 HIPAA Privacy Rule: Compliance Plans, Training, Internal Audits and Patient Rights Widener University Delaware.
HIPAA Security Standards Final Rule
HIPAA Compliance Services CTG HealthCare Solutions, Inc.
HIPAA Compliance Services CTG HealthCare Solutions, Inc.
Introduction to the PACS Security
Presentation transcript:

© Clearwater Compliance LLC | All Rights Reserved Copyright Notice 1 Copyright Notice. All materials contained within this document are protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published, or broadcast without the prior, express written permission of Clearwater Compliance LLC. You may not alter or remove any copyright or other notice from copies of this content. For reprint permission and information, please direct your inquiry to

© Clearwater Compliance LLC | All Rights Reserved Legal Disclaimer 2 Legal Disclaimer. This information does not constitute legal advice and is for educational purposes only. This information is based on current federal law and subject to change based on changes in federal law or subsequent interpretative guidance. Since this information is based on federal law, it must be modified to reflect state law where that state law is more stringent than the federal law or other state law exceptions apply. This information is intended to be a general information resource regarding the matters covered, and may not be tailored to your specific circumstance. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONS AND ADVICE PROVIDED HEREIN IN CONSULTATION WITH YOUR LEGAL OR OTHER ADVISOR, AS APPROPRIATE. The existence of a link or organizational reference in any of the following materials should not be assumed as an endorsement by Clearwater Compliance LLC.

© Clearwater Compliance LLC | All Rights Reserved 3 Welcome to today’s Live Event… we will begin shortly… Please feel free to use “Chat” or “Q&A” to tell us any ‘burning’ questions you may have in advance…

© Clearwater Compliance LLC | All Rights Reserved Webinar Slide Deck _How-To-Meet-HIPAA-HITECH-Encryption-Requirements_V3.pdf 4 Check “Chat” or “Question” area on GoToWebinar Control panel to copy/paste link and download materials

© Clearwater Compliance LLC | All Rights Reserved 5 How to Meet HIPAA-HITECH Encryption Requirements & Beyond WEBINAR January 17, 2014 Stephen TregliaStephen Treglia, JD Legal Counsel, Recovery Section Absolute Software Corporation (877) Bob ChaputBob Chaput, CISSP, CIPP-US, CHP, CHSS CEO & Founder Clearwater Compliance LLC or

© Clearwater Compliance LLC | All Rights Reserved About HIPAA-HITECH Compliance 1. We are not attorneys! 2. The Omnibus has arrived! 3. Lots of different interpretations! So there! 6

© Clearwater Compliance LLC | All Rights Reserved Legal Counsel, Absolute’s Investigations & Recovery Section 2010 – present Prosecutor in New York Investigated/prosecuted Organized Crime Used computers, seized computers Started investigating/prosecuting computer crime 1996 Created one of first Technology Crime Units 1997, headed it to 2010 Started investigating/prosecuting Absolute cases in 2006 Stephen Treglia, JD

© Clearwater Compliance LLC | All Rights Reserved Bob Chaput MA, CISSP, CIPP/US, CHP, CHSS 8 President – Clearwater Compliance LLCClearwater Compliance LLC 30+ years in Business, Operations and Technology 20+ years in Healthcare Executive | Educator |Entrepreneur Global Executive: GE, JNJ, HWAY Responsible for largest healthcare datasets in world Numerous Technical Certifications (MCSE, MCSA, etc) Expertise and Focus: Healthcare, Financial Services, Retail, Legal Member: IAPP, ISC 2, HIMSS, ISSA, HCCA, HCAA, CAHP, ACAP, ACHE, AHIMA, NTC, ACP, SIM, Chambers, Boards

© Clearwater Compliance LLC | All Rights Reserved Session Objectives 1.Define and understand basic HIPAA- HITECH relevant terms and concepts 2.Review the specific requirements of HIPAA and HITECH for encryption 3.Provide practical, actionable next steps to take to meet HIPAA-HITECH encryption requirements 4.Address Why Encryption is Not Enough! 9

© Clearwater Compliance LLC | All Rights Reserved 10 1.Secure Your PHI  Avoid the “Wall of Shame” … Get Started Now Answer Page! 2.Technology solutions are an important part, but only part of a balanced Security Program 4.Encryption is likely not enough; consider additional safeguards 3.Large or Small: Consider Getting Help (Tools, Experts, etc)

© Clearwater Compliance LLC | All Rights Reserved Oops! Missed That Safe Harbor Thingy! 11

© Clearwater Compliance LLC | All Rights Reserved Session Objectives 12 1.Define and understand basic HIPAA- HITECH relevant terms and concepts 2.Review the specific requirements of HIPAA and HITECH for encryption 3.Provide practical, actionable next steps to take to meet HIPAA-HITECH encryption requirements 4.Address Why Encryption is Not Enough!

© Clearwater Compliance LLC | All Rights Reserved 13 Key Terms & Concepts 1.Protected Health Information (PHI) 2.electronic PHI (ePHI) 3.Secured PHI 4.Unsecured PHI 5.Data Breach 6.Encryption 7.Destruction 8.Safe Harbor 9.Security Essentials 10.Required versus Addressable

© Clearwater Compliance LLC | All Rights Reserved Protected Health Information Protected Health Information (PHI) is any information about health status, provision of health care, or payment for health care that can be linked to a specific individual. 14 PHI is interpreted rather broadly and includes any part of a patient’s medical record or payment history …and, that is linked to personal (18) identifiers

© Clearwater Compliance LLC | All Rights Reserved 15 Data Breach A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual.

© Clearwater Compliance LLC | All Rights Reserved Don’t Panic! Event 16 Incident Breach ? ?

© Clearwater Compliance LLC | All Rights Reserved Unsecured PHI Unsecured PHI is PHI that has not been rendered unusable, unreadable, or indecipherable CEs and BAs must only provide the required notification if the breach involved unsecured protected health information. 17

© Clearwater Compliance LLC | All Rights Reserved 18 Encryption Encryption means the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key C.F.R. § Definitions

© Clearwater Compliance LLC | All Rights Reserved Safe Harbor “This guidance is intended to describe the technologies and methodologies that can be used to render PHI unusable, unreadable, or indecipherable to unauthorized individuals. While covered entities and business associates are not required to follow the guidance, the specified technologies and methodologies, if used, create the functional equivalent of a safe harbor, and thus, result in covered entities and business associates not being required to provide the notification otherwise required by section in the event of a breach.” DEPARTMENT OF HEALTH AND HUMAN SERVICES 45 CFR Parts 160 and 164 Guidance Specifying the Technologies and Methodologies That Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals for Purposes of the Breach Notification Requirements Under Section of Title XIII (Health Information Technology for Economic and Clinical Health Act) of the American Recovery and Reinvestment Act of 2009; Request for Information

© Clearwater Compliance LLC | All Rights Reserved Session Objectives 20 1.Define and understand basic HIPAA- HITECH relevant terms and concepts 2.Review the specific requirements of HIPAA and HITECH for encryption 3.Provide practical, actionable next steps to take to meet HIPAA-HITECH encryption requirements 4.Address Why Encryption is Not Enough!

© Clearwater Compliance LLC | All Rights Reserved Security Rule & Encryption Privacy Rule  Reasonable Safeguards for all PHI Physical Safeguards for EPHI Technical Safeguards for EPHI Administrative Safeguards for EPHI Security Management Process Security Officer Workforce Security Information Access Mgmt Security Training Security Incident Process Contingency Plan Evaluation Business Associate Contracts Access Control Audit Control Integrity Person or Entity Authentication Transmission Security Facility Access Control Workstation Use Workstation Security Device & Media Control 21 HIPAA ACTUALLY SAYS LITTLE ABOUT ENCRYPTION! 22 Security Standards

© Clearwater Compliance LLC | All Rights Reserved 45 C.F.R. § (a)(1) Standard: Access Control. (i)Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in Sec (a)(4). … (2) Implementation specifications: (iv)Encryption and Decryption. (Addressable). Implement a mechanism to encrypt and decrypt electronic protected health information. 22 Access Control (think Data at Rest)

© Clearwater Compliance LLC | All Rights Reserved 45 C.F.R. § (e)(1) Standard: Transmission Security. (i)Transmission Security -Section (e)(1) - Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network. (2) Implementation specifications: (ii)Encryption (Addressable). Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate. 23 Transmission Security (think Data in Motion)

© Clearwater Compliance LLC | All Rights Reserved The Security Rule Required vs. Addressable 1 (i)Assess whether each implementation specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting the entity’s electronic protected health information; and (ii) As applicable to the entity— (A) Implement the implementation specification if reasonable and appropriate; or (B) If implementing the implementation specification is not reasonable and appropriate— (1)Document why it would not be reasonable and appropriate to implement the implementation specification; and (2)Implement an equivalent alternative measure if reasonable and appropriate. 24 ADDRESSABLE≠OPTIONAL 1 45 CFR (d)(3)

© Clearwater Compliance LLC | All Rights Reserved 25 MU Stage 2 Requirements Objective: Protect electronic health information created or maintained by the Certified EHR Technology through the implementation of appropriate technical capabilities Measure: Conduct or review a security risk analysis in accordance with the requirements under 45 CFR (a)(1), including addressing the encryption/security of data at rest in accordance with requirements under 45 CFR (a)(2)(iv) and 45 CFR (d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the provider's risk management process.

© Clearwater Compliance LLC | All Rights Reserved The HITECH Act THREE absolute “game changers”: 1)More Enforcement 2)Bigger fines 3)Wider Net Cast 26

© Clearwater Compliance LLC | All Rights Reserved HIPAA Rules Fall short… HITECH Addressed HITECH Addressed No definition of Secured or Unsecured PHI in HIPAA! The HITECH Act  Secretary of Health and Human Services must issue guidance 27 Securing PHI as defined in the new guidance is important because secured PHI is not subject to the breach notification requirements of the HITECH Act.

© Clearwater Compliance LLC | All Rights Reserved Encryption Definition 45 CFR Definitions Encryption means the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key. 28

© Clearwater Compliance LLC | All Rights Reserved HHS / OCR Guidance 1 Two methodologies to secure PHI by making it unusable, unreadable or indecipherable to unauthorized persons: Encryption Destruction May be used to secure data in four commonly recognized data states: 1.data in motion 2.data at rest 3.data in use 4.data disposed 29 1 DEPARTMENT OF HEALTH AND HUMAN SERVICES 45 CFR Parts 160 and 164 Guidance Specifying the Technologies and Methodologies That Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals for Purposes of the Breach Notification Requirements Under Section of Title XIII (Health Information Technology for Economic and Clinical Health Act) of the American Recovery and Reinvestment Act of 2009; Request for InformationDEPARTMENT OF HEALTH AND HUMAN SERVICES 45 CFR Parts 160 and 164 Guidance Specifying the Technologies and Methodologies That Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals for Purposes of the Breach Notification Requirements Under Section of Title XIII (Health Information Technology for Economic and Clinical Health Act) of the American Recovery and Reinvestment Act of 2009; Request for Information

© Clearwater Compliance LLC | All Rights Reserved Encryption Guidance Based on HHS/OCR Guidance 1 … Valid encryption processes for data at rest are consistent with NIST Special Publication , Guide to Storage Encryption Technologies for End User Devices.NIST Special Publication , Guide to Storage Encryption Technologies for End User Devices 30 Valid encryption processes for data in motion are those which comply, as appropriate, with: NIST SP800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations;NIST SP800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations NIST SP800-77, Guide to IPsec VPNs;NIST SP800-77, Guide to IPsec VPNs NIST SP , Guide to SSL VPNs,NIST SP , Guide to SSL VPNs or others Federal Information Processing Standards (FIPS) validated.Federal Information Processing Standards (FIPS)

© Clearwater Compliance LLC | All Rights Reserved Destruction Guidance Must shred or destroy paper, film or other media Electronic media  cleared, purged or destroyed consistent with NIST SP , Guidelines for Media SanitizationNIST SP , Guidelines for Media Sanitization 31

© Clearwater Compliance LLC | All Rights Reserved 2012 OCR Audit Protocol 32 Audit Procedures 1.Inquire of management as to whether an encryption mechanism is in place to protect ePHI. 2.Obtain and review formal or informal policies and procedures and evaluate the content relative to the specified criteria to determine that encryption standards exist to protect ePHI. Based on the complexity of the entity, elements to consider include but are not limited to: a.Type(s) of encryption used. b.How encryption keys are protected. c.Access to modify or create keys is restricted to appropriate personnel. d.How keys are managed. 3.If the covered entity has chosen not to fully implement this specification, the entity must have documentation on where they have chosen not to fully implement this specification and their rationale for doing so. Evaluate this documentation if applicable.

© Clearwater Compliance LLC | All Rights Reserved Policy defines an organization’s values & expected behaviors; establishes “good faith” intent People must include talented privacy & security & technical staff, engaged and supportive management and trained/aware colleagues following PnPs. Procedures or processes – documented - provide the actions required to deliver on organization’s values. Safeguards includes the various families of administrative, physical or technical security controls ( including “guards, guns, and gates”, encryption, firewalls, anti-malware, intrusion detection, incident management tools, etc.) Balanced Compliance Program Balanced Compliance Program Clearwater Compliance Compass™ 33

© Clearwater Compliance LLC | All Rights Reserved Session Objectives 34 1.Define and understand basic HIPAA- HITECH relevant terms and concepts 2.Review the specific requirements of HIPAA and HITECH for encryption 3.Provide practical, actionable next steps to take to meet HIPAA-HITECH encryption requirements 4.Address Why Encryption is Not Enough!

© Clearwater Compliance LLC | All Rights Reserved Next Actions to Meet Requirements 1. Get Educated on Encryption 2. Determine Regulations that Apply to You 3. Include ALL “ePHI homes” 4. Decide If Encryption is Enough 5. Establish Selection Criteria 6. Identify Alternatives for Secure PHI 35 7.Test Top Alternatives  Don’t Create Bricks! 8.Ensure Fit Into an Overall HIPAA Compliance Plan 9. Put BAs and Subcontractors on Notice 10. Seek Help, If Needed

© Clearwater Compliance LLC | All Rights Reserved Session Objectives 36 1.Define and understand basic HIPAA- HITECH relevant terms and concepts 2.Review the specific requirements of HIPAA and HITECH for encryption 3.Provide practical, actionable next steps to take to meet HIPAA-HITECH encryption requirements 4.Address Why Encryption is Not Enough!

© Clearwater Compliance LLC | All Rights Reserved Is Encryption Enough? 37

© Clearwater Compliance LLC | All Rights Reserved Graphical representation of state laws NM, SD, Kentucky, Alabama lack statutes Darker colors – tougher laws Virginia considered toughest because of highest penalties California started this with law passed in 2002, effective 2003 Generally applies to government agencies and businesses Some States also cover healthcare

© Clearwater Compliance LLC | All Rights Reserved What even constitutes a breach requiring notification? Again, varies State by State Typically, the release of a name and some other identifier Address, SSN, account number Some States have a harm requirement; some don’t Some require a minimum # breached before notification required Some make encryption a safe harbor; some don’t

© Clearwater Compliance LLC | All Rights Reserved But does encryption always = “Safe Harbor”? Those who claim encryption is a safe harbor to HIPAA regulation should read 74 Federal Register 79 – issued 4/27/09 Guidance Specifying the Technologies and Methodologies That Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals At page – “(a) Electronic PHI has been encrypted as specified in the HIPAA Security Rule by ‘the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key’ and such confidential process or key that might enable decryption has not been breached.”

© Clearwater Compliance LLC | All Rights Reserved New York General Business Law § 899-aa Prior statute: "Personal identifying information" means personal information consisting of any information in combination with any one or more of the following data elements, when either the personal information or the data element is not encrypted, or encrypted with an encryption key that is included in the same record as the encrypted personal information or data element: Current statute: "Private information" shall mean personal information consisting of any information in combination with any one or more of the following data elements, when either the personal information or the data element is not encrypted, or encrypted with an encryption key that has also been acquired:

© Clearwater Compliance LLC | All Rights Reserved Several States do allow encryption to be a safe harbor Arizona A Notification of breach of security system; enforcement; civil penalty; preemption; exceptions; definitions A. When a person that conducts business in this state and that owns or licenses unencrypted computerized data that includes personal information becomes aware of an incident of unauthorized acquisition and access to unencrypted or unredacted computerized data that includes an individual's personal information, the person shall conduct a reasonable investigation to promptly determine if there has been a breach of the security system. If the investigation results in a determination that there has been a breach in the security system, the person shall notify the individuals affected.

© Clearwater Compliance LLC | All Rights Reserved What does all this volatility mean to you? Causes the most problems for multi-state entities How do compliance officers respond? They comply with “highest- denominator” Means they comply with the toughest State statues to play it safe If in compliance with the toughest They’re in compliance with the rest Why is staying compliant important?

© Clearwater Compliance LLC | All Rights Reserved Consider More Robust Technology 44

© Clearwater Compliance LLC | All Rights Reserved Many Services/Many Solutions/Even Unique Ones Computrace/Lojack for Laptops/Patented Persistence – Unique to the industry Many devices/one solution – Also unique Recovery staff of 43 ex-law enforcement officers/over 1000 years experience – Also unique Encrypted devices/Encryption Reports Device Freeze/Data Delete Geo-fencing/Data Loss Prevention Forensic/Investigative Services Can tell what data is and isn’t seen/Report generated

© Clearwater Compliance LLC | All Rights Reserved Compliance is important way beyond HIPAA penalties & fines Think as an ambulance-chasing attorney for a moment Each listing of a breached healthcare system is > 500 identities Generally, breached identity is valued at a minimum of $1000 Class action lawsuit just waiting to happen

© Clearwater Compliance LLC | All Rights Reserved Shooting fish in a barrel Shooting sitting ducks (from a blind that’s not all that blind) Apropos analogies?

© Clearwater Compliance LLC | All Rights Reserved A $4.9 BILLION Lawsuit U.S. Dept. of Defense defendant for theft of computer tape from car driven by employee of the subcontractor of one of its Business Associates Records of 4.9 million members of military on the tape $1000 per victim = $4.9 billion Business Associate also a defendant, but not the subcontractor (sue the entities with the biggest pockets)

© Clearwater Compliance LLC | All Rights Reserved Another $4 BILLION Lawsuit ??? 49 Failing to use Encryption

© Clearwater Compliance LLC | All Rights Reserved Share Price 50 July Accretive employee’s laptop computer, containing 20 million pieces of information on 23,000 patients, was stolen from the passenger compartment of the employee’s car 7/31/2012 $2.5M MN SAG Settlement 1/19/2012 MN SAG Suit 12/31/2013 FTC Settle. 6/13/2013 Class Suit 9/27/2013 $14M Class Settlement nteractive#symbol=ah;range=5y;compare =;indicator=volume;charttype=area;cross hair=on;ohlcvalues=0;logscale=off;source =undefinedhttp://finance.yahoo.com/echarts?s=AH+I nteractive#symbol=ah;range=5y;compare =;indicator=volume;charttype=area;cross hair=on;ohlcvalues=0;logscale=off;source =undefined; 4/2/2013 CEO Replaced 8/26/2013 CFO Replaced

© Clearwater Compliance LLC | All Rights Reserved 51 1.Secure Your PHI  Avoid the “Wall of Shame” … Get Started Now Summary 2.Technology solutions are an important part, but only part of a balanced Security Program 3.Large or Small: Consider Getting Help (Tools, Experts, etc)

© Clearwater Compliance LLC | All Rights Reserved 52Resources Risk Analysis Buyer’s Guide: analysis-resources/hipaa-risk-analysis-buyers- guide-checklist/ analysis-resources/hipaa-risk-analysis-buyers- guide-checklist/ Encryption & Risk Analysis Information: hitech-resources/ hitech-resources/

© Clearwater Compliance LLC | All Rights Reserved Register For Upcoming Live HIPAA-HITECH Webinars at: Register For Upcoming Live HIPAA-HITECH Webinars at: /live-educational-webinars/ /live-educational-webinars/ 53 Resources View pre-recorded Webinars like this one at: demand-webinars/

© Clearwater Compliance LLC | All Rights Reserved 54 Clearwater HIPAA Compliance BootCamp™ Events Take Your HIPAA Privacy and Security Program to a Better Place, Faster Other 2014 Plans – Virtual, Web- Based Events (3, 3-hr sessions): May August November Other 2014 Plans - Live, In- Person Events (9-hours): March 17 – Detroit April 24 - San Francisco July 24 – Boston October 16 - Los Angeles March 17| Live HIPAA BootCamp™ | Detroit Live HIPAA BootCamp™ |Live HIPAA BootCamp™ | February 12, 19, 26 | HIPAA Virtual BootCamp™ February 12, 19, 26 | HIPAA Virtual BootCamp™

© Clearwater Compliance LLC | All Rights Reserved HIPAA Compliance BootCamp™ Welcome, Introductions and Overview 1.How to Set Up Your Privacy and Security Risk Management & Governance Program 2.How to Assess Your Increased Liability Risk Under the Omnibus Final Rule 3.How to Develop & Implement Comprehensive HIPAA Privacy and Security and Breach Notification Policies & Procedures (PnPs) Networking Break 4.How to Prepare for and Manage an OCR Investigation 5.How to Train all Members of Your Workforce Networking Luncheon & Refresh 6.Panel Discussion – How to Implement a Strong, Proactive Business Associate Management Program 7.How to Complete All HIPAA Security Rule Assessment Requirements Networking Break 8.Presentation and Panel Discussion: How to Create a “Culture of Compliance” 9.How to Assess and Monitor Your Compliance with the HIPAA Privacy Rule and HITECH Breach Notification Rule Buffer Time, Q&A, Final Remarks Attendee Reception (optional) 55 HOW TO…

© Clearwater Compliance LLC | All Rights Reserved 56 Gregory J. Ehardt, JD, LL.M. HIPAA/Assistant Compliance Officer - HCA Adjunct Professor Office of General Counsel Idaho State University Bob Chaput, CISSP, CIPP/US CHP, CHSS CEO Clearwater Compliance Expert Instructors Elizabeth Warren, Esq. Partner Bass, Berry & Sims, PLC Mary Chaput, MBA, CIPP/US, CHP CFO & Chief Compliance Officer Clearwater Compliance Meredith Phillips, MHSA, CHC, CHPC Chief Information Privacy & Security Officer Henry Ford Health System David Finn, CISA, CISM, CRISC Health IT Officer Symantec Corporation

© Clearwater Compliance LLC | All Rights Reserved 57 Contact Stephen TregliaStephen Treglia, JD Legal Counsel, Recovery Section Absolute Software Corporation (877) Bob ChaputBob Chaput, CISSP, CIPP-US, CHP, CHSS CEO & Founder Clearwater Compliance LLC or

© Clearwater Compliance LLC | All Rights Reserved

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.