Part 1: Controlled Unclassified Information (CUI)

Slides:



Advertisements
Similar presentations
The Role of the IRB An Institutional Review Board (IRB) is a review committee established to help protect the rights and welfare of human research subjects.
Advertisements

All you always wanted to know about Assurances Office of Research Protections (ORP) U.S. Army Medical Research and Materiel Command (USAMRMC) Fort Detrick,
U.S. Energy Information Administration Independent Statistics & Analysis Controlled Unclassified Information FCSM Conference Jacob Bournazian,
Nick Vennaro, NHIN Team (Contractor), Office of the National Coordinator for Health IT Michael Torppey, CONNECT Health IT Security Specialist (Contractor)
Grant Guidance Changes
Briefing Outline  Overview of the CUI Program  Establishment of the Program  Elements of the CUI Executive Order  Requirements and Timelines  Categories.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Information System Security Association-Washington D.C. NIST Special Publication Protecting Controlled.
Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.
Data Ownership Responsibilities & Procedures
Version 6.0 Approved by HIPAA Implementation Team April 14, HIPAA Learning Module The following is an educational Powerpoint presentation on the.
Expanded Version of COSO a presentation by Steve Wadleigh Expanded Version of COSO a presentation by Steve Wadleigh Standards for Internal Control in the.
Complying With The Federal Information Security Act (FISMA)
COMPLYING WITH HIPAA BUSINESS ASSOCIATE REQUIREMENTS Quick, Cost Effective Solutions for HIPAA Compliance: Business Associate Agreements.
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE Privacy Foundations Samuel P. Jenkins Director for Privacy Defense Privacy and Civil Liberties Office Identity.
CUI Statistical: Collaborative Efforts of Federal Statistical Agencies Eve Powell-Griner National Center for Health Statistics.
DFARS & What is Unclassified Controlled Technical Information (UCTI)?
HIPAA PRIVACY AND SECURITY AWARENESS.
California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: 1 NEW OBLIGATIONS.
Theme: classification & distribution of government control of FEA.
Dealing with Business Associates Business Associates Business Associates are persons or organizations that on behalf of a covered entity: –Perform any.
HIPAA & Public Schools New Federalism in a New Century The Challenges of Administering HIPAA in Public Schools ASTHO/NGA Center Joint Audioconference September.
1 Defense Health Agency Privacy and Civil Liberties Office Data Sharing Program Overview Ms. Rita DeShields DHA Data Sharing Compliance Manager August.
1 Information Sharing Environment (ISE) Privacy Guidelines Jane Horvath Chief Privacy and Civil Liberties Officer.
FleetBoston Financial HIPAA Privacy Compliance Agnes Bundy Scanlan Managing Director and Chief Privacy Officer FleetBoston Financial.
HIPAA PRACTICAL APPLICATION WORKSHOP Orientation Module 1B Anderson Health Information Systems, Inc.
Policies for Information Sharing April 10, 2006 Mark Frisse, MD, MBA, MSc Marcy Wilder, JD Janlori Goldman, JD Joseph Heyman, MD.
Rhonda Anderson, RHIA, President  …is a PROCESS, not a PROJECT 2.
DOC Web Policies & Best Practices Jennifer Hammond NOAA Research WebShop 2002 August 7, 2002.
Data Governance 101. Agenda  Purpose  Presentation (Elijah J. Bell) Data Governance Data Policy Security Privacy Contracts  FERPA—The Law  Q & A.
Research & Economic Development Office of Grants and Contracts Administration Data Security Presented by Debbie Bolick September 24, 2015.
National Institutes of Health U.S. Department of Health and Human Services NIEHS SRP Annual Meeting November 18 – 20, 2015 George Tucker Chief, Grants.
Federal Preemption, and State Healthcare Privacy and Data Security Law and Regulation Fifth National HIPAA Summit October 30 – November 1, 2002 Mark Barnes.
Configuring Electronic Health Records Privacy and Security in the US Lecture b This material (Comp11_Unit7b) was developed by Oregon Health & Science University.
For Official Use Only (FOUO) and Similar Designations NPS Security Office
1 HIPAA’s Impact on Depository Financial Institutions 2 nd National Medical Banking Institute Rick Morrison, CEO Remettra, Inc.
Juvenile Legislative Update 2013 Confidential Records and Protected Disclosures.
Special Publication Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations Patricia Toth NIST MEP.
UNDERSTANDING WHAT HIPAA IS AND IS NOT
DOE Worker Safety and Health Policy
Providing Access to Your Data: Handling sensitive data
Obligations of Educational Agencies: Parents’ Bill of Rights
HOGAN & HARTSON, L.L.P. “Publications” “Health”
Introduction to the Federal Defense Acquisition Regulation
Risk Management and Compliance
Special Publication Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations Dr. Ron Ross Computer Security.
General Data Protection Regulation
Changes to Exempt Categories
Updates to Expedited Review Procedures
Briefing Outline Executive Order 13556
Updates to Expedited Review Procedures
Refuah Community Health Collaborative (RCHC) PPS
Confidential Records and Protected Disclosures
Executive Order United States Intelligence Activities
Changes to Exempt Categories
Disability Services Agencies Briefing On HIPAA
DFARS Cybersecurity Requirements
Groundwater and Waste Management Committee November 9, 2016
Updates to Expedited Review Procedures
General tripartite board composition and selection information
Marking & Protecting Controlled Unclassified Information (CUI)
Julie Woosley, Division of Waste Management
EDUCAUSE Security Professionals Conference 2018 Jason Pufahl, CISO
National Congress on Health Care Compliance
Making Your IRBs and Clinical Investigators HIPAA-Ready
Exploring 45 CFR , Criteria for IRB Approval of Research
HIPAA Compliance Services CTG HealthCare Solutions, Inc.
Introduction to the PACS Security
Colorado “Protections For Consumer Data Privacy” Law
HIPAA, The Next Level: HIPAA Preemption of State Laws
Share with Protections
Presentation transcript:

Part 1: Controlled Unclassified Information (CUI) HL7 Security and Privacy Data Protection, Privacy, Security, Access, Liquidity and Availability Series Part 1: Controlled Unclassified Information (CUI)

Controlled Unclassified Information Controlled Unclassified Information (CUI) is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. CUI Basic is the subset of CUI for which the authorizing law, regulation, or Government-wide policy does not set out specific handling or dissemination controls. CUI Specified is the subset of CUI in which the authorizing law, regulation, or Government-wide policy contains specific handling controls that it requires or permits agencies to use that differ from those for CUI Basic. CUI does not include: Classified Information Non-executive branch entity information Uncontrolled Unclassified Information

Security Labels Full Marking Example: “CUI//SP-HLTH/HLTH/PRVCY” From: Mark Riddle <mark.riddle@nara.gov> Sent: Wednesday, May 01, 2019 3:15 PM To: Xanthakos, Nicholas (OGC) nicholas.xanthakos@va.gov Subject: [EXTERNAL] Re: Question Regarding CUI Labeling - Specified vs. Basic Hi Nicholas, I apologize for the delay in responding. Health records should be indicated, marked, as CUI Specified. The banner would appear as CUI//SP- HLTH. Mark Riddle Principal for CUI Program Oversight Information Security Oversight Office National Archives and Records Administration 700 Pennsylvania Avenue, NW (Room 500) Washington, DC 20408 Phone: 202.357.6864 mark.riddle@nara.gov Full Marking Example: “CUI//SP-HLTH/HLTH/PRVCY”

CUI Legal Agreements: When?/What? Agreements and arrangements are any vehicle that sets out specific CUI handling requirements for contractors and other information-sharing partners when the arrangement with the other party involves CUI. Agreements and arrangements include, but are not limited to contracts, grants, licenses, certificates, memoranda of agreement/arrangement or understanding, and information sharing agreements or arrangements. See 2002.4 Definitions. (5) Agreements. Agencies should enter into agreements with any non-executive branch or foreign entity with which the agency shares or intends to share CUI, as follows (except as provided in paragraph (a)(7) of this section): At § 2002.16 Accessing and disseminating. (i) Information-sharing agreements. When agencies intend to share CUI with a non-executive branch entity, they should enter into a formal agreement (see § 2004.4(c) for more information on agreements), whenever feasible. Such an agreement may take any form the agency head approves, but when established, it must include a requirement to comply with Executive Order 13556, Controlled Unclassified Information, November 4, 2010 (3 CFR, 2011 Comp., p. 267) or any successor order (the Order), this part, and the CUI Registry. (ii) Sharing CUI without a formal agreement. When an agency cannot enter into agreements under paragraph (a)(6)(i) of this section, but the agency's mission requires it to disseminate CUI to non-executive branch entities, the agency must communicate to the recipient that the Government strongly encourages the non-executive branch entity to protect CUI in accordance with the Order, this part, and the CUI Registry, and that such protections should accompany the CUI if the entity disseminates it further.

TEFCA Draft2 Minimum Security Requirements The MRTCs Draft 2 requires that QHINs comply with the HIPAA Privacy and Security Rules as it pertains to EHI. Also, QHINs must: Evaluate their security program for the protection of Controlled Unclassified Information (CUI), and Develop and implement an action plan to comply with the security requirements of the most recently published version of the NIST Special Publication 800-171 (Protecting Controlled Unclassified Information in Non- federal Information Systems and Organizations). In addition, as part of its ongoing security risk analysis and risk management program, QHINs shall review the most recently published version of the HIPAA Security Rule Crosswalk to the NIST Cybersecurity Framework.

HITAC CUI TEFCA Rebuttal HITAC Recommendation is Uninformed Per NARA and 32 CFR 2002 federal agencies should establish legal agreements for exchange of CUI or modify existing ones which thereby conveys a burden on recipients to protect CUI designated information IAW EO 13556. For this purpose, a binding OP&P update has been created in Sequoia with no objection from members (See embedded Doc). NIST SP 800-171 provides 25 additional requirements that extend the Security Rule and provide needed enhancement/update to existing healthcare security and privacy controls in non-federal systems. Contrary to HITAC, CUI controls flow down to federal partners. NIST SP 800-171A provides nonfederal organizations with assessment procedures and a methodology that can be employed by them to conduct their own assessments of the NIST SP 171 CUI security requirements.

HL7

Summary CUI protects federal government information generally and is specific to healthcare law. CUI is concerned with protections for data at rest. CUI is just one component of a full data management approach to information sharing. Part II of this series will address “Sharing with Protections”, and “Security and Privacy Labeling” as the second component covering tools designed to eliminate restrictions on sharing, bottlenecks and gaps in information.

References NIST Special Publication 800-171 Revision 1 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations This publication provides federal agencies with a set of recommended security requirements for protecting the confidentiality of CUI when such information is resident in nonfederal systems and organizations; when the nonfederal organization is not collecting or maintaining information on behalf of a federal agency or using or operating a system on behalf of an agency; and where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or governmentwide policy for the CUI category or subcategory listed in the CUI Registry. SP 800-171A Assessing Security Requirements for Controlled Unclassified Information This publication provides federal and nonfederal organizations with assessment procedures and a methodology that can be employed to conduct assessments of the CUI security requirements in NIST Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. HIMSS19 Interoperability Showcase: “Controlled Unclassified Information”, Feb 11-15, Orlando, FL 20190227_HIMSS_CUI_2019_WITH_NAVIGATION for Confluence.pptx Controlled Unclassified Information (CUI) Problem and Solutions Introduction to the CUI Business Problem for which HL7 has developed a standards-based, interoperable solution for HL7 product families .

END

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.