Organizing a Privacy Program: Administrative Infrastructure and Reporting Relationships Presented by: Samuel P. Jenkins, Director Defense Privacy Office.

Slides:

Advertisements

Similar presentations

Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.

Advertisements

USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.

1 Auditing in the Public Interest Records Management in the Victorian Public Sector Audit objective Audit had two objectives : The first objective was.

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group

HIPAA Regulations What do you need to know?.

Randy Benson RHQN Executive Director May, Compliance Issues During Survey Compliance Officers monitor healthcare facilities (hospitals and clinics)

October In May 2000, Walkerton’s drinking water system became contaminated with deadly bacteria, primarily Escherichia coli O157:H7.1 Seven people.

David A. Brown Chief Information Security Officer State of Ohio

1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Security Controls – What Works

Developing a Records & Information Retention & Disposition Program:

© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.

The Role of Regulation in the development of the postal sector in Uganda A presentation to the conference on Leveraging of ICTs in the transformation of.

IT Security Challenges In Higher Education Steve Schuster Cornell University.

Purpose of the Standards

Guidelines for constructing a Compliance Program for Medicaid Managed Care Organizations and PrePaid Health Plans As provided by the Medicaid Alliance.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

© 2013 BOS Solutions Ltd. Revised: Mar 15,2013 Version 2 – BOS HSE MSpg. 1 The BOS HSE Management System Brad Whitaker, MSPH, CSP BOS Solutions HSE Director.

Elements of Internal Controls Preventing Fraud, Waste, and Abuse in Urban and Rural Transit Systems.

Internal Auditing and Outsourcing

1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Postgraduate Educational Course in radiation protection and the Safety of Radiation sources PGEC Part IV The International System of Radiation Protection.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Basics of OHSAS Occupational Health & Safety Management System

BITS Proprietary and Confidential © BITS Security and Technology Risks: Risk Mitigation Activities of US Financial Institutions John Carlson Senior.

Credit unions use social media in a variety of ways, including marketing, providing incentives, facilitating applications for new accounts, inviting feedback.

Institutional Research Compliance Juliann Tenney, JD Research Compliance and Privacy Officer Director, Institutional Research Compliance Program.

Forms Management: Compliance, Security & Workflow Efficiencies.

IAEA International Atomic Energy Agency Reviewing Management System and the Interface with Nuclear Security (IRRS Modules 4 and 12) BASIC IRRS TRAINING.

Establishing A Compliance Program: It Makes Sense

Integrating HIPAA Into Your Compliance Program Fifth Annual National Congress on Health Care Compliance February 7, 2002 Glenna S. Jackson Vice President.

How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

1 Today’s Presentation Sarbanes Oxley and Financial Reporting An NSTAR Perspective.

HIT Standards Committee Privacy and Security Workgroup: Initial Reactions Dixie Baker, SAIC Steven Findlay, Consumers Union June 23, 2009.

Records & Information Management (RIM) Risk: Is Your Company Exposed? March 19, 2013.

Data Security: Steps to Improved Information Security September 22, 2015 Presented by: Alex Henderson General Counsel and Chief Administrative Officer.

April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.

LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.

1.Summary of Needs Analysis 2.Summary of Action Plan 3.Systems Analysis between Microsoft SharePoint® and OpenText Content Server 4.System Recommendation.

HIPAA Security A Quantitative and Qualitative Risk Assessment Rosemary B. Abell Director, National Healthcare Vertical Keane, Inc. HIPAA Summit VII September.

Copyright © Emerson Strategic Group, Inc. All Rights Reserved 1 Ninth National HIPAA Summit Auditing for Privacy Compliance: A Case Study September.

Managing your Institution-Specific HIPAA Compliance Policies and Procedures Cutting Edge Issues Thursday, December 13, 2007.

DATA IT Senate Data Governance Membership IT Senate Data Governance Committee Membership Annie Burgad, Senior Programmer, Central IT Julie Cannon, Director.

SCHOOLS FINANCE OFFICERS MEETINGS Records Management, “Paper-Lite” Environments and Procedures when a school closes Elizabeth Barber.

Information Security IBK3IBV01 College 3 Paul J. Cornelisse.

Privacy Act United States Army (Managerial Training)

Data Security & Privacy: Fundamental Risk Mitigation Tactics 360° of IT Compliance Anthony Perkins, Shareholder Business Law Practice Group Data Security.

SOLGM Wanaka Retreat Health and Safety at Work Act 2015 Ready? 4 February 2016 Samantha Turner Partner DDI: Mob:

Functioning as a Business Associate Under HIPAA William F. Tulloch Director, PCBA March 9, 2004.

WESTERN PA CHAPTER OF THE AMERICAN PAYROLL ASSOCIATION – NOVEMBER 4, 2015 Risk Management for Payroll.

Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.

1 Information Governance (For Dental Practices) Norman Pottinger Information Governance Manager NHS Suffolk.

CBIZ RISK & ADVISORY SERVICES BUSINESS CONTINUITY PLANNING Developing a Readiness Strategy that Mitigates Risk and is Actionable and Easy to Implement.

Information Security Office: Function, Alignment in the Organization, Goals, and Objectives Presentation to Sacramento PMO March 2011 Kevin Dickey.

 Pharmaceutical Care is a patient-centered, outcomes oriented pharmacy practice that requires the pharmacist to work in concert with the patient and.

Safety Management Systems Session Four Safety Promotion APTA Webinar June 9, 2016.

SUNY Maritime Internal Control Program. New York State Internal Control Act of 1987 Establish and maintain guidelines for a system of internal controls.

Team 1 – Incident Response

Chapter 3: IRS and FTC Data Security Rules

Red Flags Rule An Introduction County College of Morris

HIPAA Security A Quantitative and Qualitative Risk Assessment

HIPAA Compliance Services CTG HealthCare Solutions, Inc.

Data Mapping & Data Subject Rights

Introduction to the PACS Security

Sam elkholy Director, systems engineering

Presentation transcript:

Organizing a Privacy Program: Administrative Infrastructure and Reporting Relationships Presented by: Samuel P. Jenkins, Director Defense Privacy Office Former Privacy Officer, DoD Tricare Management Activity

AGENDA Opening Thoughts Organizational Assessment Privacy Program Development Ongoing Activities Monitoring and Reporting

The health care industry uses one of the largest networked information systems in the country. The information technology and many interfaces required to meet the needs of the healthcare industry continue to expand. With this expansion we are also experiencing a similar increase in privacy incidents (loss, theft or compromise) and breaches of information (identity theft, healthcare fraud, malicious intent). The Nations concern for personal privacy is not new particularly in health care. Becoming privacy compliant is a process first through an assessment of where we are and a determination where we desire to be followed by a plan to get and stay there. The application of privacy standards for personally identifiable information and protected health information has evolved over time. Organizations must continue to grow in order to stay ahead of these changes. The standards that are most important are those that matter the most to the customer. Opening Thoughts

OrganizationalAssessment Organizational Assessment Determine where the organization is in relation to its privacy requirements – Identify information systems and processes Document all locations of personal information (files, databases, paper copies, CDs, hard drives, tapes and any other storage medium) Map the processes associated with the above locations against the requirements of the organization the collect, use, share, process, maintain, store and destroy information Compare current policies against the requirements of applicable privacy legislation or regulation to establish a gap analysis between existing and required standards Identify risks associated with data, uses and compliance to create a strategic plan and working document to achieve compliance

Privacy Program Development (Refreshment) Establish infrastructure Position descriptions –Chief Privacy Official –Privacy team leads –Key Privacy personnel Compliance reporting lines –Policy and compliance monitoring –Training and refresher training completion and documentation –Incident reporting and follow-up Designate authority over privacy issues –Develop teams and identify key personnel for privacy actions related to documents, systems, information sharing, transfer, storage and others –Empower employees throughout the organization

Development and implementing policies, procedures training and making changes as required – Change forms, systems, procedures and manuals to reflect privacy requirements Change or develop systems to address and support privacy compliance. Network coordination of policy development and implementation throughout the organization Review holdings and archived information for protections (both privacy and security requirements) Train, refresh, retrain. Learning is not just acquiring more information but instead it is about expanding the results we truly want. Create anonymous lessons learned from incidents to educate staff on issues and ways to avoid them Ongoing Activities

Monitor and Report for Compliance To ensure you get to the desired compliance Re-assess results with policies to measure outcomes and show due diligence toward compliance Determine criteria for measurement of training completion, incident reporting and management actions Create an environment that encourages the reporting of incidents Identify thresholds for escalating issues to senior management Establish a means of communication for staff, patients and other persons with inquiries, concerns or issues Ensures that appropriate reporting procedures are developed and implemented and that there is a mechanism for follow-up, communication, re-training and resolution of issues. Ensures that appropriate reviews and audits are conducted to provide assurance that privacy policies, procedures and technology create a compliant environment.

Conclusion A privacy compliant organizational structure allows adoption of methodologies in addressing the privacy issue it faces. The organization can address in a systematic and planned way, specific privacy requirements, including personal information policies, procedures and standards. An adequate privacy compliance program can create or improve consumer trust and improve the protection of information for consumers and employees alike. Publicity of privacy violations can cause damage to an organizations reputation and possibly its ability to attract patients.

Samuel P. Jenkins, Director 1901 S. Bell Street, Suite 920 Arlington, VA ( ) (Office) (703) (Fax) (703)