• Like
  • Save


Flash Player 9 (or above) is needed to view presentations.
We have detected that you do not have it on your computer. To install it, go here.

HITECH Act - Privacy & Security Solution

Uploaded on

Verizon\'s solution for address HITECH Act\'s Privacy and Security requirements. All US organizations (healthcare providers, payers and partners / business associates) that store or process Protected …

Verizon\'s solution for address HITECH Act\'s Privacy and Security requirements. All US organizations (healthcare providers, payers and partners / business associates) that store or process Protected Healthcare Information (PHI) must comply with this Federal law.

More in: Technology , Business
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On Slideshare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide
  • No max penalty Willful neglect Must authorize and define the use of PHI in contracts w/ partners 10% reduction in Medicare reimbursements if organization is not HIPAA compliant Subtitle D of HITECH is Privacy
  • Dis-incentives in latter years of HITECH for non-Meaningful Users www.hipaasurvivalguide.com
  • [WSJ, 02/02/09] [ITRC] Notices must be sent within 60 days Over-rides FTC Red Flags
  • administrative, physical and technical BA’s are now within the jurisdiction of HHS Goes into effect on 02/18/2010 Reduces the risk on CEs (by shifting some of it to BAs)
  • Other = HITECH / HIPAA Compliant Smart Centers, Secure Messaging, etc.
  • For the latest version, please contact Omar Khawaja Verizon Business manages 260,000-plus security, network and hosting devices across more than 4,200 customer networks in 142 countries and territories. Privacy Rights has tracked only 263 million breached records from Jan ‘05 to July ’09 (http://www.privacyrights.org/ar/ChronDataBreaches.htm#Total) Threat & Vulnerability Intel Track and analyze new software vulnerabilities and related attacks Underground Intel Watch discussions, code sharing, planning,... Historically BBS, then Usenet, now more IRC and Cons... ICSA Labs Intel Security product testing and security consortia operations. 400+ products Forensics Intel Data and Intel from forensics investigations (200+ cases per year). MSS Intel Data from IDS, FW, IPS, Applications… Management & Monitoring SOC operations Net Intel Data from backbone. Sensors on more than 1 Million VzB addresses. Netflow Honey nets, Honey Pots… Studies & Surveys VZB Studies, surveys (10+/yr), Others published data to drive Risk Models, equations & methodology
  • OCR = Office of Civil Rights HHS = Health and Human Services State attorneys general can bring civil action in federal court on behalf of residents whose privacy has been violated (Independent of ARRA) HHS assigned to the OCR responsibility for enforcing HIPAA Security Rule (in addition to Privacy Rule)
  • Dec09


  • 1. HITECH Act Privacy & Security Solution Omar Khawaja [email_address] GlobalProduct Management November, 2010
  • 2. HITECH Act Overview
    • = Health Information Technology for Economic and Clinical Health
    • Title 13 of ARRA
    • $20B
    • Objectives
      • Develop standards by 2010 for electronic exchange of healthcare information
      • Incentives to encourage doctors and hospitals to digitize
      • Save government $10B
      • Strengthen privacy and security to protect PHI
    • Expanded scope of HIPAA in HITECH
      • Mandates public notification of data breaches
      • Stricter compliance and accounting for ePHI requests
      • Responsibility for managing PHI at Business Associates
    Stiff enforcement, penalties: $50k to $1.5MM per violation
  • 3. Background “ Meaningful Use”
    • Criteria that needs to be met by healthcare providers to qualify for HITECH grants and incentives
    • CMS provides $18B in reimbursement incentives for “meaningful users”
    • Five Policy Priorities to establish Meaningful Use:
      • Improved Quality, Safety, and Efficiency
      • Engage Patients and Families
      • Improve Care Coordination
      • Improve Public Health
      • Ensure Privacy & Security of PHI
    • Care Goals
    • Set of Objectives & Measures for Each Two Year Window (2011, 2013, and 2015)
  • 4. New Security Requirement 1. Breach Notification
  • 5. New Security Requirement 2. ePHI Accounting
  • 6. Background What is a Business Associate?
    • Person or entity that performs certain functions or activities that involve the use or disclosure of PHI
    • Work on behalf of, or provides services to, a Covered Entity (CE)
    • Member of the CE’s workforce is not a BA
    • May include:
      • Accountants
      • Consultants
      • Pharmacy
      • Payers (health insurance provider)
      • Labs (e.g.: LabCorp)
      • Software Vendors (EHR, PHR, etc.)
      • HIOs, RHIOs, HIEs
    • How many BAs?
      • United Healthcare Group: 3600+ BAs
      • Humana: 2400+ BAs
      • Medco: ~900 BAs
  • 7. New Security Requirement 3. Business Associates
  • 8. Verizon’s HITECH Solution How it all comes together… Consulting Services Managed Services Data Discovery HITRUST
    • Prepare for Compliance
      • Compliance Strategy
      • Compliance Review
      • Readiness Assessment
      • Data Discovery
    • Obtain C ompliance
      • Remediation
      • Assessments for…
        • Company
        • Business Associates
        • Products
    • Maintain Compliance
      • SMP-H
  • 9. Why Verizon? Indisputable Reputation Transfer effective best practices that have proven to work based on 1700+ security engagements delivered in 2008
  • 10. Why Verizon? Leading Provider of Security Solutions
    • Industry Recognition
      • Verizon is the leading global MSSP (Gartner, Forrester)
      • Verizon security consultants actively participate in 20+ security industry specific organizations
      • Verizon Security Consulting practice recognized as a Strong Performer (Forrester)
      • ICSA Labs is the industry standard for certifying security products
    • Credentials
      • BSI Associate Consultant for ISO 27001 and BS 25999
      • PCI ASV , QSA and PA-QSA
      • CREST approved penetration tester
      • HITRUST Qualified CSF Assessor and member Leadership Roundtable
    • Global Reach
      • 500+ dedicated security consultants based in 23 countries that speak 24 languages
      • Serve 77% of Forbes Global 2000
      • 7 sources of risk intelligence
    • Experience
      • Investigated breaches involving 900+ million records
      • Verizon SMP is the oldest security certification program in the industry
      • Provide national identity solutions in over 25 countries
      • Provide services to 78% of Fortune 100
      • Delivered 1800+ security consulting engagements in 2009
  • 11. Finally…
    • The Federal Government is serious
      • Apr ‘03 – Feb ‘09: 42k HIPAA complaints  0 penalties
      • May ‘09: Kaiser fined $250k for privacy breach
      • Security of PHI is required for Meaningful Use
    • Lack of security is costly
      • Aug ‘08: LensCrafters settles class action suit for $20m
      • Jan ‘09: VA to pay $20m for privacy breach
      • Individuals (not just organizations) are on the hook
    • Why VzB?
      • VzB already has the services to address HITECH Privacy and Security
      • VzB has 2800+ healthcare customers
      • VzB has a dedicated Healthcare Solutions team
      • Transfer knowledge based on 1800+ security consulting engagements in just 2009
    • For even more information…
  • 13. HITECH Act Enforcement and Penalties
    • Criminal penalties can now be applied to individuals (not just companies)
    • New system of civil monetary penalties that incorporates concept of “willful neglect”
    • Establishment of methodology to distribute to harmed individuals a portion of civil penalties collected
    • State attorneys general can bring civil action on behalf of residents whose privacy has been violated
    • Requires HHS secretary to periodically audit CEs, BAs
    • OCR responsible for enforcing HIPAA Security and Privacy Rules
  • 14. HITRUST-VzB Relationship