Massachusetts privacy law and your business  Jonathan Gossels, President, SystemExperts Corporation  Moderator: Illena Armstrong  Actual Topic: Intersecting.

Slides:



Advertisements
Similar presentations
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Advertisements

HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.
David Assee BBA, MCSE Florida International University
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
1. As a Florida KidCare community partner families entrust you to not only help them navigate the Florida KidCare system but to keep the information they.
Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.
Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
Bringing HIPAA to Hospital Systems HIPAA impact on hospital systems viaMD solution for HIPAA compliance W e b e n a b l i n g Pa t i e n t A d m i t t.
Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.
CHAPTER © 2011 The McGraw-Hill Companies, Inc. All rights reserved. 2 The Use of Health Information Technology in Physician Practices.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
© 2011 The McGraw-Hill Companies, Inc. All rights reserved. 2.5 HIPAA Legislation and its Impact on Physician Practices 2-15 The Health Insurance Portability.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.
Privacy, Security, Confidentiality, and Legal Issues
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
Information Security Policies Larry Conrad September 29, 2009.
Security Controls – What Works
Information Security Policies and Standards
Beyond HIPAA, Protecting Data Key Points from the HIPAA Security Rule.
Session 3 – Information Security Policies
HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.
New Data Regulation Law 201 CMR TJX Video.
1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)
April 23, Massachusetts’ New Data Security Regulations: Ten Steps To Compliance Amy Crafts
NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
Information Security Technological Security Implementation and Privacy Protection.
Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.
Managing Risk in Cloud Computing Contracts Henry Ward and Todd Taylor April 30, 2015.
The Use of Health Information Technology in Physician Practices
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
HIPAA PRIVACY AND SECURITY AWARENESS.
“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.
Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
IDENTITY THEFT. RHONDA L. ANDERSON, RHIA, PRESIDENT ANDERSON HEALTH INFORMATION SYSTEMS, INC.
LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.
Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 6 The Privacy and Security of Electronic Health Information.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Patient Confidentiality and Electronic Medical Records Ann J. Olsen, MBA, MA Information Security Officer and Director, Information Management Planning.
The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,
Working with HIT Systems
Copyright ©2014 by Saunders, an imprint of Elsevier Inc. All rights reserved 1 Chapter 02 Compliance, Privacy, Fraud, and Abuse in Insurance Billing Insurance.
© Copyright 2010 Hemenway & Barnes LLP H&B
Welcome….!!! CORPORATE COMPLIANCE PROGRAM Presented by The Office of Corporate Integrity 1.
Lessons Learned from Recent HIPAA Breaches HHS Office for Civil Rights.
Copyright © 2015 by Saunders, an imprint of Elsevier Inc. All rights reserved. Chapter 3 Privacy, Confidentiality, and Security.
Top 10 Series Changes to HIPAA Devon Bernard AOPA Reimbursement Services Coordinator.
Data Security & Privacy: Fundamental Risk Mitigation Tactics 360° of IT Compliance Anthony Perkins, Shareholder Business Law Practice Group Data Security.
Configuring Electronic Health Records Privacy and Security in the US Lecture b This material (Comp11_Unit7b) was developed by Oregon Health & Science University.
CYBERSECURITY: RISK AND LIABILITY March 2, 2016 Joshua A. Mooney Co-chair-Cyber Law and Data Protection White and Williams LLP (215)
The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law
HHS Security and Improvement Recommendations Insert Name CSIA 412 Final Project Final Project.
Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill/Irwin Chapter 6 The Privacy and Security of Electronic Health Information.
© 2016 Health Information Management Technology: An Applied Approach Chapter 10 Data Security.
iSecurity Compliance with HIPAA
Chapter 3: IRS and FTC Data Security Rules
Move this to online module slides 11-56
Red Flags Rule An Introduction County College of Morris
HIPAA PRIVACY AWARENESS, COMPLIANCE and ENFORCEMENT
Final HIPAA Security Rule
County HIPAA Review All Rights Reserved 2002.
HIPAA Privacy and Security Summit 2018 HIPAA Privacy Rule: Compliance Plans, Training, Internal Audits and Patient Rights Widener University Delaware.
HIPAA Security Standards Final Rule
HIPAA SECURITY RULE Copyright © 2008, 2006, 2004 by Saunders an imprint of Elsevier Inc. All rights reserved.
THE 13TH NATIONAL HIPAA SUMMIT HEALTH INFORMATION PRIVACY & SECURITY IN SHARED HEALTH RECORD SYSTEMS SEPTEMBER 26, 2006 Paul T. Smith, Esq. Partner,
Introduction to the PACS Security
Presentation transcript:

Massachusetts privacy law and your business  Jonathan Gossels, President, SystemExperts Corporation  Moderator: Illena Armstrong  Actual Topic: Intersecting state & Federal data protection acts - because we have to look at the Massachusetts law in context

Agenda Background MA 201 CMR 17 NV 603a HITECH The Federal Data Accountability & Trust Act (DATA) Summary

Regulatory Summary Forty-five states have enacted legislation requiring notification of security breaches involving personal information Many laws only deal with notification after a breach Massachusetts and Nevada have passed laws/regulations aimed at preventing breaches The House of Representatives has passed the DATA Act (HR 2221) – also requiring preventive measures – it’s in committee in the Senate now HITECH has broadened applicability of HIPAA requirements Red Flag Rules require any organization that extends credit to look for “red flags” that indicate identity theft

Comparing Regulations Until now, most laws designed to protect information were risk based and rather vague –HIPAA, GLB, CA New laws (MA and NV) are more prescriptive They require specific administrative and technical controls The trend is to prescribe controls while taking risk into account

MA 201 CMR 17: MGL c. 93H The law is designed to prevent identity theft Requires all holders of personal information to implement procedural and technical safeguards to protect the data Is consistent with controls required by industry standards (ISO 27000) and other regulations (HIPAA, Red Flag Rules) Companies’ programs are judged taking into account risk –The size, scope, and type of business –The resources available –The amount of stored data –The need for security and confidentiality of information This regulation appears to be setting the standard

WISP All new regulations require formal programs MA 201 CMR 17 requires organizations to have a formal comprehensive written information security program (WISP) What is a WISP? –Full documentation of your security program –Documentation of the specific controls required by the law

MA Administrative Controls A designated person or group responsible for managing the security program A risk assessment and management program A method of assessing the effectiveness of controls protecting personal data An employee and contractor training program A set of security policies and procedures A method of monitoring employee compliance

MA Administrative Controls 2 A means for detecting and preventing security system failures (monitoring and review) Specific policies and procedures relating to the storage, access, transmission, and handling of personal data Disciplinary measures for non-compliance A reliable method of promptly disabling access of terminated employees

MA Administrative Controls 3 A program to ensure that third parties with access to personal data are competent and contractually obligated to maintain appropriate safeguards on the information A set of physical controls to ensure that systems, media, and paper containing personal data are protected from unauthorized access An annual review of security measures and reviews whenever there is a material change in business practices that may affect

MA Technical Controls Secure user authentication methods, including secure protocols that do not expose passwords on the network, strong passwords, secure password storage, unique user identifiers, and optional two-factor authentication technologies Access control mechanisms that restrict access to only active users Automatic lockout after multiple failed access attempts Tight access controls on files and records containing personal information Restriction of access to those with a business need Removal of all vendor default accounts

MA Technical Controls 2 Encryption of personal records when transmitted across public and wireless networks Monitoring of systems for unauthorized use and access to personal information Encryption of all personal information stored on laptops or other portable devices An Internet firewall protecting systems and files containing personal information A vulnerability and management program that keeps software and virus definitions up-to-date

Nevada 603a Requires “data collectors” to: Implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification or disclosure of personal data Comply with current PCI DSS (if a merchant) Encrypt personal information transmitted outside the secure system of the data collector Encrypt data on storage devices moved outside the physical controls of the data collector Contract with business associates to maintain reasonable measures …

NV 603a (continued) Requires notification in event of breach Allows civil action against those who profit from breach Provides for restitution by perpetrator to data collector for damages Attorney General may bring injunction against violator Organizations are not liable if they are compliant Does not apply to communications providers

HITECH: Enhances HIPAA Health Information Technology for Economic and Clinical Health Act (HITECH Act) Part of the American Recovery and Reinvestment Act of 2009 Government will encourage nationwide electronic exchange and use of health information to improve quality and coordination of care. Investing $20 billion in incentives to deploy health technology Goal to improve quality of care and care coordination and reduce medical errors and duplicative care Strengthening Federal privacy and security law to protect identifiable health information from misuse as the health care sector increases use of Health IT

HITECH Act Establishes a Federal breach notification requirement for health information that is not encrypted Requires notification of unauthorized disclosure Expands compliance requirements to all organizations with access to health information Allows individuals to request audit trail Shuts down secondary information mining market Requires patient authorization to use EPHI for marketing and fundraising Strengthens enforcement of Federal privacy and security laws by increasing penalties for violations Provides greater resources for enforcement and oversight activities

Data Accountability and Trust Act of 2009 Passed in the House of Representatives Supersedes state notification laws Considers bank account information personal information only with PIN Places strong requirements on information brokers –Accuracy –Policy audits –Individual access to data –Post breach audits Requires a program of administrative and technical controls

DATA Bill Controls Responsible officer Formal security policy for personal information Vulnerability management –Assessment –Monitoring –Corrective actions Secure data destruction procedures Notification procedures

Summary Trend is toward laws that are more prescriptive while still being risk based Most regulations require –Governance –Policy –Data controls (identification, isolation, encryption) –Identity management and access controls –Vulnerability management –Incident response (and breach notification) –Monitoring and assessment of effectiveness Your best path is to establish a security program that meets these needs as the trend of stricter regulations and threats to information will only intensify

We appreciate your feedback and comments. Jonathan Gossels, President SystemExperts Corporation (888)