• Like
  • Save

Health Data Encryption: The Seven Principals of Privacy

  • 267 views
Uploaded on

To view other past webinars or to register for upcoming FREE HIPAA educational webinars please visit www.compliancy-group.com/webinars. …

To view other past webinars or to register for upcoming FREE HIPAA educational webinars please visit www.compliancy-group.com/webinars.

To Try The Guard or compliance tracking solution The Guard risk free please visit www.compliancy-group.com

More in: Education
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
267
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
0
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. There  is  no  “oops”  clause  to   Privacy  LegislaFon  Feb  27,  2013  Presented  by  Robby  Gulri,  VP  Products  gulri@echoworx.com  For  product  inquiries,  Ryan  Vaudry,  Account  Director  vaudry@echoworx.com   1  
  • 2. Compliance  Simplified  –  Achieve  ,  Illustrate,  Maintain  Industry  leading  Educa2on   Todays  Webinar     •  Please  ask  ques2ons   •  Todays  slides  are  available     hGp://compliancy-­‐group.com/slides023/   Cer2fied  Partner  Program       •  Past  webinars  and  recordings   hGp://compliancy-­‐group.com/webinar/     855.85HIPAA     www.compliancygroup.com  
  • 3. Privacy  legisla2on  is   everywhere   3  
  • 4. Safe  harbor  bridges  the   “privacy  gap”   4  
  • 5. Safe  harbor  •  Policy  agreement  between  the  United  States  Department  of   Commerce  and  the  European  Union  (E.U.)  •  Regulates  the  way  that  U.S.  companies  export  and  handle  the   personal  data  of  European  ciFzens    •  Before  safe  harbor  it  was  almost  illegal  to  transfer  personal  data   outside  of  Europe  •  Safe  harbor  sFpulates  that  companies  collecFng  personal  data  must:   –  inform  the  people  that  the  data  is  being  gathered   –  tell  them  what  will  be  done  with  it   –  obtain  permission  to  pass  on  the  informaFon  to  a  third  party   –  allow  people  access  to  the  data  gathered   –  assure  data  integrity  and  security   –  guarantee  a  means  of  enforcing  compliance  must  be  guaranteed   5  
  • 6. Safe  harbor  framework  • 7  Privacy  Principles   – NoFce,  Choice,  Onward  Transfer,  Access,  Data   Integrity,  Security,  Enforcement   – 15  FAQ’s  • Standards  for  Email  Encryp2on  • Series  of  leIers  between  the  European   Commission,  Department  of  Commerce,  Federal   Trade  Commission,  and  Department  of   TransportaFon   6  
  • 7. IT’S  THE  LAW!   7  
  • 8. Examples  of  highly  enforced  regula2ons  •  HIPAA  mandates  that  all  protected  health  informaFon  should  be  encrypted  on  public   networks  •  MassachuseIs  encryp2on  law  states  that  all  personal  informaFon  stored  on  laptops  and   other  portable  devices  must  be  encrypted  •  The  Italian  personal  data  protec2on  code  states  that  personal  data  shared  between   healthcare  bodies  and  professionals  must  be  performed  using  encrypFon  technology  •  California  bill  AB  1950  mandates  all  organizaFons  that  use  personal  electronic  records   must  establish  precauFonary  measures  to  protect  data  •  Michigan  encryp2on  law  states  that  personal  idenFfying  informaFon  must  be  stored  in  an   encrypted  format  •  The  Spanish  royal  decree  states  that  sensiFve  data  may  only  be  transmiGed  electronically   if  the  data  is  encrypted  first  •  Nevada  encryp2on  law  states  that  businesses  must  encrypt  all  informaFon  transferred   electronically  •  Canadian  department  of  jus2ce  states  that  private  informaFon  should  be  locked  in   cabinets,  protected  with  passwords  and  protected  with  encrypFon   8  
  • 9. Regula2ons  are  complex  •  Sectoral  regulaFons  are  different  for  healthcare,  financial   services,  banking,  insurance,  and  more  •  Federal  regulaFons    include  HIPAA,  PCI,  SOX,  Children  On-­‐Line   InformaFon  •  State  Laws  require  data    breach  noFficaFons  •  Agency  regulaFons  include  FTC,  Office  of  Treasury,  SEC,  etc  •  Global  laws  include  safe  harboring  and  export  laws   9  
  • 10. What  exactly  are  we  protec2ng  An  individuals  personal  informaFon  or  PI   •  Name     Data  includes:   •  IniFals       •  Personal  details  like  salary,  bank   •  Address     balance,  etc.   •  SSN     •  Consumer  and  employee  e-­‐mail   •  Internal  reports   •  Phone  number     •  Expressions  of  interest  on  parFcular   •  Email  address     topics     •  IT  logs  of  originaFng  IP  addresses   •  Photographs     •  Internet  transmission  data  like   parFcular  web  pages  viewed,  etc.   •  Fingerprints       •  and  more  …       10  
  • 11. Regulated  versus  non-­‐regulated  data  REGULATED  DATA   NON-­‐REGULATED  DATA  •  Personal  informaFon:   •  Intellectual  property:   –  Health  data:  disease  history,   –  R&D   biometric  idenFfies  such  as   –  Technical  Specs   reFnal  scans,  DNA   –   DocumentaFon   –  Financial  data:  pin  codes,   account  numbers,  billing  details,   –  Source  Code   credit  card  informaFon   –  Diagrams,  formulas,  and   –  Personal  data:  social  security   calculaFons   numbers,  fingerprints,  race,   –  Manufacturing  and   ethnicity,  sex/orientaFon,   development  processes   religious  belief,  poliFcal  opinion,   trade  union  membership,   physical/mental  health  or   condiFons,  criminal  record   11  
  • 12. Key  vulnerabili2es  and  risks  •  Third-party vendors who handle data transfers•  Lost devices such as laptops, portable media and back-up tapes•  Dumpster diving•  Peer-to-peer networks such as iPods, file sharing, etc.•  Email scams such as phishing•  Internet routers that are not protected•  Using SSNs for authentication and insecure storing of SSNs•  Improper access to facilities and physical equipment•  Mobile and home-based workforce without VPN controls, device management, and remote security processes•  Social Engineering risks and internal call centers not prepared to handle these risks 12  
  • 13. Email  poses  the  biggest  risk  •  Email  is  s2ll  the  #  1  business   communica2ons  tool   –  Workers  spend  an  average  of  152  minutes   per  day  on  email   –  Worldwide  email  accounts  by  2014  are   projected  at  3.8  billion  •  Widespread  misuse  of  email   –  1  in  5  outgoing  emails  contain  content  that   poses  a  legal,  financial,  or  regulatory  risk  •  High  risk   –  89%  of  unsolicited  email  contain  malware   –  Email  is  the  most  common  “aGack”  method   for  hackers   –  75%  of  all  corporate  email  contain  some   Intellectual  Property     13  
  • 14. Email  poses  the  biggest  risk  •  Embedded  links  and  file  aGachments  all  pose  a  high  risk  •  Highest  profile  of  data  breaches  generally  involve  email  and  the   intercepFon  of  email  •  Ongoing  educaFon  is  required  for  employees,  partners,  and   customers  •  An  email  encrypFon  soluFon  that  “just  works”  is  required  to  protect   privacy  and  sensiFve  informaFon   –  Email  encrypFon  technology  must  be  easy  to  use  and  deploy   –  ComplexiFes  of  encrypFng  email  should  be  hidden  from  the  end-­‐user   –  Email  encrypFon    soluFon  must  be  standards  based   –  Email  encrypFon  soluFon  must  be  powerful  and  military  grade   14  
  • 15. Understanding  data  intercep2on  •  Spear  Phishing  –  aGacks  directed  at  high  profile  targets  •  Spoofing  /  Spam  –  Disguised  email  that  introduces  viruses  and   malware  into  systems  to  extract  informaFon  •  Phishing  –  Disguised  email  designed  to  acquire  passwords  and   other  confidenFal  informaFon  relaFng  to  privacy  •  Cache  Poisoning  –  DNS  compromises  for  URL  redirecFon  •  Denial  of  Service  –  Bring  down  a  mail  server  with  high  volume  of   emails  to  then  extract  informaFon  •  Man  in  the  Middle  –  Intercept  outgoing  email  at  various  points  of   delivery  to  gain  access  to  private  informaFon   15  
  • 16.  Three    steps  to  compliance   Develop  privacy  policies   •  Needs/risk  assessment   •  Define  policies     •  Create  clear  rules  for  the  distribuFon  of  confidenFal  info     •  Provide  and  support  an  easy  to  use  technical  soluFon  to  enforce  policies  and  procedures       Eliminate  human  error     •  People  make  mistakes     •  Most  data  is  compromised  inadvertently     •  Up  to  80%  of  breaches  are  caused  internally       Protect  confiden2al  informa2on     •  Apply  encrypFon  to  all  confidenFal  info,  across  all  plaoorms  and  devices   •  Enforce  encrypFon  automaFcally  using  a  policy  engine   •  Alternately  encrypt  emails  directly  from  the  desktop     16  
  • 17. Protec2ng  confiden2al   informa2on  using  encryp2on  puts  you  on   the  right  track  to   compliance   17  
  • 18. You  can  pay  for  encryp2on  now  …   or  pay  more  later   Country   Cost  per  Record   Cost  of  Breach   Australia   $114   $1.83M   France   $119   $2.53M   Germany   $177   $3.44M   UK   $98   $2.57M   USA   $204   $6.75M   Average   $142   $3.43M   Source:  Ponemon  2011   18  
  • 19. Consequences  of  non-­‐compliance  • Significant  fines  • Loss  of  reputaFon  • Loss  of  customers  • IntercepFon  /  disclosure  of  outgoing  email  • Likelihood  of  inbound  email  aGacks  • Loss/thes  of  private  informaFon   19  
  • 20. Disclosing  data  breaches  •  Before  there  was  no  law  to  disclose  a  data  breach  •  Today  all  data  breaches  have  to  be  disclosed  to  the  effected  parFes:  •  OrganizaFons  must:   –  Disclose  any  breach  of  security     –  Provide  noFficaFon  of  the  breach  in  the  most  expedient  Fme  possible   –  Provide  noFficaFon  without  unreasonable  delay     –  Provide  noFficaFon  to  a  major  media  outlet   –  Data  breaches  on  a  data  breach  noFficaFon  website   –  Individuals  have  to  be  compensated  for  their  loss   –  IdenFty  thes  consFtute  big  dollar  payout   20  
  • 21. California  SB  1386  •  If  a  breach  occurs,  the  affected  enFFes  must:   –  Disclose  any  breach  of  security  of  the  system   –  Following  discovery  with  noFficaFon  of  the  breach  in  the  most  expedient   Fme  possible  and  without  unreasonable  delay  in  wriFng  to  any  resident  in   California  whose  unencrypted  personal  informaFon  was  or  is  reasonably   believed  to  have  been  acquired  by  an  unauthorized  party  •  A  Model  for  most  of  the  US  State  Data  Breach  noFficaFon  laws  •  A  Model  for  many  global  data  breach  laws  and  privacy  laws   21  
  • 22. Physical  security  •  Don’t  forget  physical  security  •  This  is  osen  overlooked  and  neglected  •  Restrict  and  monitor  access  to  servers  •  Secure  faciliFes  and  infrastructure  •  Alert  on  all  systems  disrupFons  and  outages   22  
  • 23. Compliance  MisconcepFons   Best  PracFce  •  Compliance  with  certain  laws   •  OrganizaFons  must  acFvely   does  not  equal  Compliance  with   manage  ALL  compliance   all  laws   regulaFons  •  Federal  PCI  Compliance  does   •  No  shortcut  for  regulatory   not  equal  compliance  with  State   analysis   oriented  PCI  Laws.    Each  state   •  Need  an  approach  that  scales   has  a  different  perspecFve  on   PCI   –  Many  naFonal,  state,  and   global  regulaFons  and  more   coming   •  Email  and  Data  Encryp2on  is   part  of  all  these  regula2ons   23  
  • 24. HIPAA  • 6,499  acFve  HIPAA  privacy  rule  invesFgaFons   underway  • 23%  of  total  HIPAA  privacy  complaints  resulted  in  fines  • PenalFes  are  based  on   intent  behind  the  violaFon  • Fines  of  up  to  $1.5  million    • Mandatory  audits  by  U.S.A.  HHS   24  
  • 25. HIPAA   A  licensed  pracFcal  nurse  who  pled   Nearly  three  dozen  hospital  workers   guilty  to  wrongfully  disclosing  a   at  Allina  Hospitals  were  fired   paFent’s  health  informaFon  for   Thursday  aser  violaFng  privacy  rules   personal  gain  faces  a  maximum   involving  a  high-­‐profile  overdose  case   penalty  of  10  years  imprisonment,  a   (2011)   $250,000  fine  or  both  (2011)       The  reason  for  the  firings  is  the  same   Andrea  Smith,  LPN,  25,  of  Trumann,   for  all  of  them:  Looking  up  medical   Arkansas,  and  her  husband,  JusHn   informaHon  about  Trevor  Robinson   Smith,  were  indicted  on  federal   and  the  other  people  involved  without   charges  of  conspiracy  to  violate  and   permission.    All  these  are  classified  as   substanHve  violaHons  of  the  Health   HIPAA  violaHons Insurance  Portability  and   Accountability  Act  (HIPAA)  in   December   25  
  • 26. HIPAA   A  former  UCLA  Health  System   Cignet  Health  of  Prince  George’s   employee  became  the  first  person  in   County  in  Washington  has  been  fined   the  naFon  to  be  sentenced  to  federal   a  total  of  $4.3  million  for  violaFons  of   prison  for  violaFng  HIPAA   HIPAA       Huping  Zhou,  47,  of  Los  Angeles,  was   The  Department  of  Health  and   sentenced  to  four  months  in  prison  on   Human  Services  Office  of  Civil  Rights   April  27,  2010  aUer  pleading  guilty  in   alleges  Cignet  violated  41  paHents’   January  to  four  misdemeanor  counts   rights  in  2008  and  2009  by  not   of  accessing  and  reading  the   providing  them  access  to  their  medical   confidenHal  medical  records  of  his   records  in  a  reasonable  amount  of   supervisors  and  high-­‐profile   Hme   celebriHes,  according  to  the  U.S.   AXorney’s  Office  for  the   Central  District  of  California.  Zhou  was   also  fined  $2,000   26  
  • 27. HIPAA   HIPAA  violaFons  can  be  applied  to   California  recently  (Jan  2012)  fined  14   both  larger  and  smaller  medical   hospitals  a  total  of  $850,000  for  a   offices   variety  of  errors  that  put  paFents  and     paFent  data  at  risk   Phoenix  Cardiac  Surgery  a  small     surgery  center  with  5  physicians  was   The  highest  penalty  of  $100,000  was   recently  fined  (April  2012)  $100,000   assessed  on  two  hospitals:    Mission   by  OCR  for  failing  to  protect  paHent   Hospital  Regional  Medical  Center,   informaHon   Mission  Viejo,  and    Scripps  Memorial   Hospital  La  Jolla  for  various  HIPAA   violaHons.    The  rest  of  the  penalHes   were  for  $50,000  or  $25,000.  Most   were  for  failure  to  follow  best   pracHces  for  PHI  protecHon   27  
  • 28. HIPAA  •  Controls  physical  security,  data  protecFon,  policies  and  procedures  •  Must  encrypt  paFent  health  informaFon  (PHI)  transmiGed  over  public   networks  •  May  use  and  disclose  PHI  only  as  permiGed  •  May  disclose  PHI  to  business  associates  only  if  it  obtains  “saFsfactory   assurance”  that  the  business  associate  will  properly  safeguard  the   informaFon  •  Not  compliant  if  business  associate  agreement  is  not  adequate,  not  in   place,  or  not  enforced  •  More  info:  hGp://www.hhs.gov/ocr/privacy/   28  
  • 29. Gramm-­‐Leach-­‐Bliley  act  (GLBA)  •  Financial  InsFtuFons  can  be  fined  up  to  $100,000  for  each  violaFon  •  ExecuFves  could  be  fined  up  to  $10,000  for  each  violaFon  •  Criminal  penalFes  may  include  up  to  five  years  in  prison  •  financial  InsFtuFon  must  noFfy  individuals  if  their  personal  financial   informaFon  is  used  or  shared  inappropriately   REQUIREMENTS   EXAMPLE   •  Data  encrypFon  with  the  ability   FTC  cracked  down  on  a  mortgage   to  log  and  audit  should  be  a  key   company  for  violaFng  the  privacy   part  of  any  GLBA  compliance   rules  of  the  GLBA   plan     •  Regulators  want  to  see  clear   The  result:  10  years  of   proof  that  informaFon  security   company  audits       policies  are  in  place  and  are     being  enforced     29  
  • 30. Payment  card  industry  (PCI)  •  PCI  safeguards  payment  cardholder  data  •  67%  of  PCI-­‐regulated  companies  are  sFll  not  in  full  compliance  with   the  standard  (InformaFon  Week,  April  2012)  •  PCI  data  breaches  increased  from  79%  in  2009  to  85%  in  2012   (Ponemon  2012)  •  Two  of  the  largest  Credit  Card  thess  in  history  •  Heartland  CorporaFon:  intruders  broke  into  its  systems  and  stole  data   of  more  than  130  million  credit  and  debit  cards  (2012)  •  TJ  Maxx  had  94  million  cards  compromised  (2007)   30  
  • 31. Payment  card  industry  requirements   Control  Objec2ves   PCI  DSS  Requirements   1.  Install  and  maintain  a  firewall  configuraFon  to   Build  and  Maintain  a  Secure   protect  cardholder  data   Network     2.  Do  not  use  vendor-­‐supplied  defaults  for  system   passwords  and  other  security  parameters   3.  Protect  stored  cardholder  data   Protect  Cardholder  Data     4.  Encrypt  transmission  of  cardholder  data  across   open,  public  networks   5.  Use  and  regularly  update  anF-­‐virus  sosware  on   Maintain  a  Vulnerability   all  systems  commonly  affected  by  malware   Management  Program     6.  Develop  and  maintain  secure  systems  and   applicaFons   7.  Restrict  access  to  cardholder  data  by  business   Implement  Strong  Access   need-­‐to-­‐know   Control  Measures     8.  Assign  a  unique  ID  to  each  person  with   computer  access   9.  Restrict  physical  access  to  cardholder  data   Regularly  Monitor  and  Test   10.  Track  and  monitor  all  access  to  network   Networks     resources  and  cardholder  data   11.  Regularly  test  security  systems  and  processes   Maintain  an  InformaFon   12.  Maintain  a  policy  that  addresses  informaFon   Security  Policy     security   31  
  • 32. Privacy  &  security  globally  •  Examples  of  countries  w/  Data  ProtecFon   Countries  with  Data  Privacy  Laws   15  EU  Members   Hungary   ArgenFna   Iceland   Australia   Israel   Brazil   New  Zealand   Bulgaria   Norway   Canada   Paraguay   Chile   Poland   Czech  Republic   Russia   Estonia   Slovakia   Hong  Kong   Switzerland   Japan   Taiwan   32  
  • 33. Privacy  &  security  globally  •  Examples  of  countries  with  limited  or  no  data  protecFon   Countries  without  Data  Privacy   Laws   Most  of  Asia  expect  Russia   Philippines   China   Singapore  (evolving)   India  (in  progress  quickly)   Central  America   Africa   Mexico   Malaysia   Middle  East  except  Israel   33  
  • 34. Global  regula2ons  U.S.A.  Sectoral  Laws   Outside  the  U.S.A.   •  HIPAA-­‐Health  Insurance  Portability  and   •  Countries  with  Comprehensive  Privacy   Accountability  Act   laws  (e.g.  EEA,  Japan,  ArgenFna,  Canada,   •  HITECH-­‐Health  InformaFon  Technology   Australia)   for  Economic  and  Clinical  Health  Act   •  Countries  with  sectoral  laws  or  as  part  of   •  FCRA-­‐Fair  Credit  ReporFng  Act-­‐impacts   their  consFtuFon:  Colombia,  Paraguay,   employment  re  credit  checks   Venezuela,  Ecuador,  Uruguay   •  COPPA-­‐Children s  Online  Privacy   ProtecFon  Act-­‐impacts  markeFng  to   •  EU-­‐  Data  ProtecFon  DirecFve: Safe   children   Harbor  as  it  relates  to  EU  DirecFve   •  CAN-­‐SPAM-­‐Controlling  Assault  on  Non-­‐ Solicited  Pornography  and  MarkeFng   •  TSR-­‐TelemarkeFng  Sales  Rule,  DNC-­‐Do   Not  Call,  DNF-­‐Do  Not  Fax   •  GLBA-­‐Gramm-­‐Leach  Bliley-­‐impacts   Financial  informaFon   •  FTC  Act  (unfair  and  decepFve  pracFces)   •  GINA-­‐GeneFc  InformaFon   NondiscriminaFon  Act     34  
  • 35. Privacy  in  Australia  •  Privacy  in  Australian  law  is  the  right  of  natural  persons  to  protect  their   personal  life  from  invasion  and  to  control  the  flow  of  their  personal   informaFon.    •  Privacy  is  not  an  absolute  right;  it  differs  in  different  contexts  and  is   balanced  against  other  compeFng  rights  and  duFes.    •  It  is  affected  by  the  Australian  common  law  and  a  range  of   Commonwealth,  State  and  Territorial  laws  and  administraFve   arrangements.   35  
  • 36. Privacy  in  Australia  •  Privacy  can  be  divided  into  a  number  of  separate,  but  related,   concepts:   –  InformaFon  privacy,  which  involves  the  establishment  of  rules  governing   the  collecFon  and  handling  of  personal  data  such  as  credit  informaFon,   and  medical  and  government  records.  It  is  also  known  as  data  protecFon   –  Bodily  privacy,  which  concerns  the  protecFon  of  people’s  physical  selves   against  invasive  procedures  such  as  geneFc  tests,  drug  tesFng  and  cavity   searches   –  Privacy  of  communica2ons,  which  covers  the  security  and  privacy  of   mail,  telephones,  e-­‐mail  and  other  forms  of  communica2on   –  Territorial  privacy,  which  concerns  the  seyng  of  limits  on  intrusion  into   the  domesFc  and  other  environments  such  as  the  workplace  or  public   space.  This  includes  searches,  video  surveillance  and  ID  checks   36  
  • 37. Privacy  in  Brazil  •  A  Brazilian  ciFzens  privacy  is  protected  by  the  countrys  consFtuFon   which  states:     –  The  inHmacy,  private  life,  honor  and  image  of  the  people  are  inviolable,   with  assured  right  to  indenizaHon  by  material  or  moral  damage  resulHng   from  its  violaHon   37  
  • 38. Privacy  in  Canada  •  Federal  Personal  Informa2on  Protec2on  and   Electronic  Documents  Act  (PIPEDA)  governs  the   collecFon,  use  and  disclosure  of  personal  informaFon   in  connecFon  with  commercial  acFviFes  and  personal   informaFon  about  employees  of  federal  works,   undertakings  and  businesses  •  Does  not  apply  to  non-­‐commercial  organizaFons  or   provincial  governments  •  Personal  informa2on  collected,  used  by  the  federal   government  is  governed  by  the  Privacy  Act  •  Many  provinces  have  enacted  similar  provincial   legislaFon  such  as  the  Ontario  Freedom  of   InformaFon  and  ProtecFon  of  Privacy  Act  which   applies  to  public  bodies  in  that  province   38  
  • 39. Privacy  in  India  •  New  privacy  rules  and  laws  (June  2011)   –  Any  organizaFon  that  processes  personal  informaFon  must  obtain  wriGen   consent  from  the  data  subjects  before  undertaking  certain  acFviFes  •  InformaFon  Technology  (Amendment)  Act,  2008   –  SecFon  43A  deals  with  implementaFon  of  reasonable  security  pracFces   for  sensiFve  personal  data  or  informaFon  and  provides  for  the   compensaFon  of  the  person  affected  by  wrongful  loss  or  wrongful  gain   including  encrypFon   –  SecFon  72A  which  provides  for  imprisonment  for  a  period  up  to  3  years   and/or  a  fine  up  to  Rs.5,00,000  for  a  person  who  causes  wrongful  loss  or   wrongful  gain  by  disclosing  personal  informaFon  of  another  person  while   providing  services  under  the  terms  of  lawful  contract   39  
  • 40. Privacy  in  Taiwan  •  Computer  Processed  Personal   Informa2on  Protec2on  Act  was   enacted  in  1995  in  order  to  protect   personal  informaFon  processed  by   computers  •  The  general  provision  specified  the   purpose  of  the  law,  defined  crucial   terms,  prohibited  individuals  from   waiving  certain  rights.   40  
  • 41. Resources  •  hGp://www.sc.gov/bcp/menus/consumer/data/child.shtm  •  hGp://www.sc.gov/bcp/menus/consumer/data/idt.shtm  •  hGp://www.sc.gov/bcp/menus/consumer/data/privacy.shtm  •  HIPAA  Privacy  Rule:  hGp://privacyruleandresearch.nih.gov/  •  Data  Privacy  Day:  hGp://dataprivacyday2010.org/  •  IAPP-­‐InternaFonal  AssociaFon  of  Privacy  Professionals:     hGps://www.privacyassociaFon.org/    •  AICPA.org    •  hGp://www.hhs.gov/ocr/privacy/     41  
  • 42. Compliance  Simplified  –  Achieve  ,  Illustrate,  Maintain   Compliance  Simplified!     HIPAA  Compliance   Achieve     HITECH  Attestation     Meaningful  Use  core  measure  Illustrate   15   Free  Demo  and  15  Day   Maintain   Evaluation   855.85HIPAA       http://compliancy-­‐group.com/     New  &  Past    Webinars   http://compliancy-­‐group.com/ webinar/   855.85HIPAA     www.compliancygroup.com  
  • 43. Thank  you  Presented  by  Robby  Gulri,  VP  Products  gulri@echoworx.com  For  product  inquiries,  Ryan  Vaudry,  Account  Director  vaudry@echoworx.com   43