1Copyright 2009. Jordan Lawrence. All rights reserved. U. S. Privacy and Security Laws DELVACCA INAUGURAL INHOUSE COUNSEL CONFERENCE April 1, 2009 Marty.

Slides:

Advertisements

Similar presentations

THE DEPARTMENT OF HEALTH AND HUMAN SERVICES (HHS) OFFICE FOR CIVIL RIGHTS (OCR) ENFORCES THE HIPAA PRIVACY, SECURITY, AND BREACH NOTIFICATION RULES HIPAA.

Advertisements

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.

Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.

1. As a Florida KidCare community partner families entrust you to not only help them navigate the Florida KidCare system but to keep the information they.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.

What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,

Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.

HIPAA Regulations What do you need to know?.

 The Health Insurance Portability and Accountability Act of  Federal Law designed to protect sensitive information.  HIPAA violations are enforced.

Privacy, Security, Confidentiality, and Legal Issues

IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.

Identity Theft & Data Security Concerns Are You Meeting Your Obligations to Protect Customer Information? Finance & Administration Roundtable February.

CALEA Compliance in 2006 H. Michael Warren Vice President, Fiduciary Services NeuStar, Inc February 2006.

SAFEGUARDING DHS CLIENT DATA PART 2 SAFEGUARDING PHI AND HIPAA Safeguards must: Protect PHI from accidental or intentional unauthorized use/disclosure.

Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.

PRIVACY COMPLIANCE An Introduction to Privacy Privacy Training.

Developing a Records & Information Retention & Disposition Program:

Steps to Compliance: Risk Assessment PRESENTED BY.

HIPAA What’s Said Here – Stays Here…. WHAT IS HIPAA  Health Insurance Portability and Accountability Act  Purpose is to protect clients (patients)

HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.

Company LOGO Copyright Carrie Kerskie Data Breach & Identity Theft By Carrie Kerskie Kerskie Group, Inc.

New Data Regulation Law 201 CMR TJX Video.

Privacy and Security Risks in Higher Education

October The Insider Financial Crime and Identity Theft Hacktivists Piracy Cyber Espionage and Sabotage.

Practical Information Management

1Copyright Jordan Lawrence. All rights reserved. Annual In-House Symposium Practical Steps to Minimize Privacy Risks: Understanding The Intersection.

April 23, Massachusetts’ New Data Security Regulations: Ten Steps To Compliance Amy Crafts

Enterprise Computing Community June , 2010February 27, Information Security Industry View Linda Betz IBM Director IT Policy and Information.

HIPAA PRIVACY AND SECURITY AWARENESS.

Ames Laboratory Privacy and Personally Identifiable Information (PII) Training Welcome to the Ames Laboratory’s training on Personally Identifiable Information.

How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

Security considerations for mobile devices in GoRTT

 INADEQUATE SECURITY POLICIES ›Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA.

PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, WITH THANKS TO.

Medical Law and Ethics, Third Edition Bonnie F. Fremgen Copyright ©2009 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved.

LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.

Information Commissioner’s Office Sheila Logan Operations and Policy Manager Information Commissioner’s Office Business Matters 20 May 2008.

© Copyright 2010 Hemenway & Barnes LLP H&B

FIRMA April 2010 DATA BREACHES & PRIVACY Christine M. Farquhar Managing Director, Compliance J.P. Morgan U.S. Private Banking.

Data Breach: How to Get Your Campus on the Front Page of the Chronicle?

1 Privacy Plan of Action © HIPAA Pros 2002 All rights reserved.

Lessons Learned from Recent HIPAA Breaches HHS Office for Civil Rights.

Copyright © 2015 by Saunders, an imprint of Elsevier Inc. All rights reserved. Chapter 3 Privacy, Confidentiality, and Security.

Data Security & Privacy: Fundamental Risk Mitigation Tactics 360° of IT Compliance Anthony Perkins, Shareholder Business Law Practice Group Data Security.

Dino Tsibouris & Mehmet Munur Privacy and Information Security Laws and Updates.

CYBERSECURITY: RISK AND LIABILITY March 2, 2016 Joshua A. Mooney Co-chair-Cyber Law and Data Protection White and Williams LLP (215)

1 Information Governance (For Dental Practices) Norman Pottinger Information Governance Manager NHS Suffolk.

The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law

HIPAA TRIVIA Do you know HIPAA?. HIPAA was created by?  The Affordable Care Act  Health Insurance companies  United States Congress  United States.

HOW TO AVOID COMMON DATA BREACH PITFALLS IAPP Privacy Academy 2014.

The Privacy Symposium: Transferring Risk of a Privacy Event Paul Paray & Scott Ernst August 20, 2008.

Computer Security and the “H” word Glen Klinkhart, CEO Mike Messick, CTO.

The Health Insurance Portability and Accountability Act (HIPAA) requires Plumas County to train all employees in covered departments about the County’s.

Law Firm Data Security: What In-house Counsel Need to Know

Data Minimization Framework

Regulatory Compliance

Current ‘Hot Topics’ in Information Security Governance Auditing

Chapter 3: IRS and FTC Data Security Rules

Red Flags Rule An Introduction County College of Morris

HIPAA PRIVACY AWARENESS, COMPLIANCE and ENFORCEMENT

Disability Services Agencies Briefing On HIPAA

A+ A+ CORPORATION PRESENTS: INFORMATION TECHNOLOGY DEPARTMENT

Cybersecurity compliance for attorneys

HIPAA SECURITY RULE Copyright © 2008, 2006, 2004 by Saunders an imprint of Elsevier Inc. All rights reserved.

Move this to online module slides 11-56

Introduction to the PACS Security

Presentation transcript:

1Copyright Jordan Lawrence. All rights reserved. U. S. Privacy and Security Laws DELVACCA INAUGURAL INHOUSE COUNSEL CONFERENCE April 1, 2009 Marty Provin Executive Vice President Jordan Lawrence

2Copyright Jordan Lawrence. All rights reserved. Privacy Breaches Happen Everyday March 24, 2009  Hospital employee left patients records on an train she was taking with her to do billing work over the weekend. March 18 th, 2009  Names, dates of birth and Social Security numbers of roughly 28,000 state retirees were ed without being encrypted by q pharmacy benefit provider. March 18 th, 2009  1,300 university students and faculty members personal information was on a laptop stolen from a professor traveling in Italy. March 11 th, 2009  University kept information (including Social Security numbers and salary information for employees of students), dating back at least ten years in a storage area next to one of the most trafficked lecture halls on campus, behind a door that was not only unlocked but taped open. February 2, 2009  Medical records were disposed of in a dumpster behind the office. February 2, 2009  Hundreds of folders containing names, addresses, Social Security numbers and credit card information were found in a dumpster. Source : Privacy Rights Clearinghouse

3Copyright Jordan Lawrence. All rights reserved. After a Privacy Breach Safe Harbor  Possible if data was encrypted  Best Practice is to notify regardless  Credit monitoring and assistance Penalties  Fines  Civil right of action

4Copyright Jordan Lawrence. All rights reserved. Cost of a Privacy Breach Hard Dollar Costs  $6.6 m average expense to an organization Cost of notifying victims Maintaining information hotlines Legal, investigative, and administrative expenses Credit monitoring Reputational Harm  31% of breach notice recipients terminate their business  57% reported losing trust and confidence Source: Ponemon Institute

5Copyright Jordan Lawrence. All rights reserved. Why Companies Struggle Misguided “prevention” efforts  Less then 20% of breaches involve unauthorized network access  More then $5 billion spent on network security Fail to understand the most common risks  53 of 81 data breaches reported 1 in 2009 have involved Lost or stolen laptops, computers or storage devices Backup tapes lost by employees or third-party vendor Employees’ handling of information Dumpster diving 1 Source : Privacy Rights Clearinghouse as of March 24 th, 2009

6Copyright Jordan Lawrence. All rights reserved. People and Policy Its about policy awareness and policy compliance 54% of business representatives don’t think their companies privacy policy applies to 1 39% of business representatives report saving sensitive 1 company data to personal computer and storage devices One out of ten employees report having had a company computer or storage device lost or stolen in last 12 months 2 1 Source: 2008 Jordan Lawrence Assessment Data 2 Source :2008 Data Leakage Worldwide : The Insider Threat and the Cost of Data Loss by insightexpress

7Copyright Jordan Lawrence. All rights reserved. Taking The First Step Identify the necessary information What personally identifiable data does the company have Where do they have it How is it managed

8Copyright Jordan Lawrence. All rights reserved. How Do You Get This Information Business Representatives understand  The types of sensitive information they work with  What media its in  Who they share it with  How they manage it  What they do with it at end of life Subject Matter Experts understand  Encryption services deployed  Back-up processes  Disposal processes  Third party’s that have access to sensitive information

9Copyright Jordan Lawrence. All rights reserved. What You Will Find 1,272 record type profiles with sensitive information Type of Sensitive Data Human Resources 29 :: on laptop (no encryption) 11 :: on flash drive 14 :: ed outside organization Accounting 18 :: on laptop (no encryption) 22 :: on flash drive 15 :: ed outside organization Security 10 :: on laptop (no encryption) 9 :: paper (no shred bin) Location of Data Social Security Numbers Credit History Information Credit/Debit Account Information Employment Information Medical Information Name, Phone, Address Source : Client data from a Jordan Lawrence Assessment

10Copyright Jordan Lawrence. All rights reserved. Putting Policy Into Practice Develop a policy including  Definition of what is considered sensitive information  How to manage sensitive information  How to dispose of sensitive information  Annual acknowledgment  Consequences for not complying Train all employees  Conduct annual training  Make it part of the hiring process

11Copyright Jordan Lawrence. All rights reserved. Enforcing Policy Implement process for safeguarding sensitive information  Information technology for technical safeguards  The business for managing and destroying hardcopy Audit  Formal audit process  Annual spot auditing of business areas Annually re-assess  Identify new risks as business processes change  Ensure compliance with “New” and changing laws  Cross border litigation

12Copyright Jordan Lawrence. All rights reserved. Thank You Marty Provin