SlideShare a Scribd company logo

Data Management Protection Acts

Download as PPTX, PDF
Joseph White MPA CPM
Joseph White MPA CPM
1 of 29
Data Management 101 Data Management Protection Acts Joe White
Gramm - Leach - Bliley Act • Passed in 1999 • Directed toward Financial Firms that manage PPI • Firms must explain their information sharing practices to their customers • Firms must instill safeguards to all data created, provisioned, stored, and destroyed
Firms that GLB act applies to… • Non Bank Mortgage Lenders • Real Estate Appraisers • Loan Brokers • Investment Advisers • Debt Collectors • Tax Return Preparers • Banks • Real Estate Settlement Providers
Definition of a Customer(1) Definition: A "consumer" is an individual who obtains or has obtained a financial product or service from a financial institution that is to be used primarily for personal, family, or household purposes, or that individual's legal representative. Examples of consumer relationships: •Applying for a loan •Obtaining cash from a foreign ATM, even if it occurs on a regular basis •Cashing a check with a check-cashing company •Arranging for a wire transfer
Definition of a Customer(2) Definition: A "customer" is a consumer who has a "customer relationship" with a financial institution. A "customer relationship" is a continuing relationship with a consumer. Examples of establishing a customer relationship: •Opening a credit card account with a financial institution •Entering into an automobile lease (on a non-operating basis for an initial lease term of at least 90 days) • with an automobile dealer •Providing personally identifiable financial information to a broker in order to obtain a mortgage loan •Obtaining a loan from a mortgage lender •Agreeing to obtain tax preparation or credit counseling services
Financial Security Plan • Firms must complete a written security plan • Plans must match the size and complexity of the firm • Plans must match the scope of the firm • Plans must consist of: • 1 employee in charge • Identify and assess risks in each area of operation • Evaluate effectiveness of plan • Create a safeguards program • Audit and select service providers with appropriate safeguards • Evaluate and change programs based on recent circumstances
3 Areas of Information Security for Firm Focus • EmployeeTraining (social engineering, warning signs, traps) • Information Systems (upgrades, software, data management) • Detecting System Failures(zero days, integrations, upgrades)
Create Proper Organizational Policy• Create Relevant Policy based of history and facts • Assign responsible employee • Build bridges with similar organizations • Establish a cycle of review and updates • Create Law Enforcement Notification Plan • Chain of Command • Phone numbers and Emails • Annual Meetings and Conferences • Impose Disciplinary actions for policy violations • Create uniformity and understanding of consequences • Data Disposition and Purge Routines • MonitorWebsites and Software
HIPAA (Health Insurance Portability and Accountability Act) • Created in 1996 • Created by the Department of Health and Human Services • Focuses on the electronic exchange, privacy, and storage of healthcare information • Opened the law up for modifications in 2002 • Received over 11,000 comments
Interested Parties • The Privacy Rule, as well as all the Administrative Simplification rules, apply to: • health plans • health care clearinghouses • health care provider who transmits health information in electronic form • Business Associate Contractor/Consultant
Privacy applies to PHI (Private Healthcare Info) • “Individually identifiable health information” is information, including demographic data, that relates to: • the individual’s past, present or future physical or mental health or condition • the provision of health care to the individual, or the past, present, or future payment for the provision of health care to the individual, • identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual. • Individually identifiable health information • includes many common identifiers (e.g name, address, birth date, Social Security Number).
Basic Principle of HIPAA • A major purpose of the Privacy Rule is to define and limit the circumstances in which an individual’s protected health information may be used or disclosed by covered entities. A covered entity may not use or disclose protected health information, except either: • (1) as the Privacy Rule permits or requires; • (2) as the individual who is the subject of the information (or the individual’s personal representative) authorizes in writing.
Required Disclosures • A covered entity must disclose protected health information in only two situations: • (a) to individuals (or their personal representatives) specifically when they request access to, or an accounting of disclosures of, their protected health information; and • (b) to HHS when it is undertaking a compliance investigation or review or enforcement action.
Permitted Disclosures • A covered entity is permitted, but not required, to use and disclose protected health information, without an individual’s authorization, for the following purposes or situations: • (1) To the Individual (unless required for access or accounting of disclosures) • (2) Treatment, Payment, and Health Care Operations • (3) Opportunity to Agree or Object • (4) Incident to an otherwise permitted use and disclosure • (5) Public Interest and Benefit Activities; and OCR Privacy Rule Summary • (6) Limited Data Set for the purposes of research, public health or health care operations.
1.To the Individual • A covered entity may disclose protected health information to the individual who is the subject of the information.
2.ToTreatment, Payment, Health Care Operations • A covered entity may use and disclose protected health information for its own treatment, payment, and health care operations activities. • A covered entity also may disclose protected health information for the treatment activities of any health care provider, the payment activities of another covered entity and of any health care provider, or the health care operations of another covered entity involving either quality or competency assurance activities or fraud and abuse detection and compliance activities, if both covered entities have or had a relationship with the individual and the protected health information pertains to the relationship.
3. For Uses and Disclosures with Opportunity to Agree or Object • permission may be obtained by asking the individual outright, or by circumstances that clearly give the individual the opportunity to agree, acquiesce, or object. Where the individual is incapacitated, in an emergency situation, or not available, covered entities generally may make such uses and disclosures, if in the exercise of their professional judgment, the use or disclosure is determined to be in the best interests of the individual.
4. Incidental Use and Disclosure. • The Privacy Rule does not require that every risk of an incidental use or disclosure of protected health information be eliminated. A use or disclosure of this information that occurs as a result of, or as “incident to,” an otherwise permitted use or disclosure is permitted as long as the covered entity has adopted reasonable safeguards as required by the Privacy Rule, and the information being shared was limited to the “minimum necessary,” as required by the Privacy Rule.
5. For Public Interest and Benefit Activities. • The Privacy Rule permits use and disclosure of protected health information, without an individual’s authorization or permission, for 12 national priority purposes.These disclosures are permitted, although not required, by the Rule in recognition of the important uses made of health information outside of the health care context. Specific conditions or limitations apply to each public interest purpose, striking the balance between the individual privacy interest and the public interest need for this information.
12 Public Interest Purposes for disclosure • Required by Law • Public Health Activities • Victims of Abuse, Neglect or DomesticViolence • Health OversightActivities • Judicial and Administrative Proceedings • Law Enforcement Purposes • Decedents • Cadaveric Organ, Eye, or Tissue Donation • Research • SeriousThreat to Health or Safety • EssentialGovernment Functions • Workers’ Compensation
6. Limited Data Set • A limited data set is protected health information from which certain specified direct identifiers of individuals and their relatives, household members, and employers have been removed. • A limited data set may be used and disclosed for research, health care operations, and public health purposes, provided the recipient enters into a data use agreement promising specified safeguards for the protected health information within the limited data set.
Minimum Necessary Requirement • A central aspect of the Privacy Rule is the principle of “minimum necessary” use and disclosure. A covered entity must make reasonable efforts to use, disclose, and request only the minimum amount of protected health information needed to accomplish the intended purpose of the use, disclosure, or request. • A covered entity must develop and implement policies and procedures to reasonably limit uses and disclosures to the minimum necessary. When the minimum necessary standard applies to a use or disclosure, a covered entity may not use, disclose, or request the entire medical record for a particular purpose, unless it can specifically justify the whole record as the amount reasonably needed for the purpose.
Internal Access and Uses of PHI data • For internal uses, a covered entity must develop and implement policies and procedures that restrict access and uses of protected health information based on the specific roles of the members of their workforce. These policies and procedures must identify the persons, or classes of persons, in the workforce who need access to protected health information to carry out their duties, the categories of protected health information to which access is needed, and any conditions under which they need the information to do their jobs.
Establishing Routines for Data Disclosures • Covered entities must establish and implement policies and procedures (which may be standard protocols) for routine, recurring disclosures, or requests for disclosures, that limits the protected health information disclosed to that which is the minimum amount reasonably necessary to achieve the purpose of the disclosure. Individual review of each disclosure is not required. For non- routine, non-recurring disclosures, or requests for disclosures that it makes, covered entities must develop criteria designed to limit disclosures to the information reasonably necessary to accomplish the purpose of the disclosure and review each of these requests individually in accordance with the established criteria.
Reasonable Professional Reliance • If another covered entity makes a request for protected health information, a covered entity may rely, if reasonable under the circumstances, on the request as complying with this minimum necessary standard. Similarly, a covered entity may rely upon requests as being the minimum necessary protected health information from: • (a) a public official • (b) a professional (such as an attorney or accountant) who is the covered entity’s business associate, seeking the information to provide services to or for the covered entity • (c) a researcher who provides the documentation or representation required by the Privacy Rule for research.
State vs Federal Exception • Federal regulations trump all state regulations unless… • It is necessary to prevent fraud and abuse related to the provision of or payment for health care, • It is necessary to ensure appropriate State regulation of insurance and health plans to the extent expressly authorized by statute or regulation, • It is necessary for State reporting on health care delivery or costs, • It is necessary for purposes of serving a compelling public health, safety, or welfare need, and, if a Privacy Rule provision is at issue, if the Secretary determines that the intrusion into privacy is warranted when balanced against the need to be served; or • Has as its principal purpose the regulation of the manufacture, registration, distribution, dispensing, or other control of any controlled substances (as defined in 21 U.S.C. 802), or that is deemed a controlled substance by State law.
Law Enforcement Penalties and Sanctions(1) • Civil Money Penalties • HHS may impose civil money penalties on a covered entity of $100 per failure to comply with a Privacy Rule requirement. That penalty may not exceed $25,000 per year for multiple violations of the identical Privacy Rule requirement in a calendar year. HHS may not impose a civil money penalty under specific circumstances, such as when a violation is due to reasonable cause and did not involve willful neglect and the covered entity corrected the violation within 30 days of when it knew or should have known of the violation.
Law Enforcement Penalties and Sanctions(2) • Criminal Penalties. • A person who knowingly obtains or discloses individually identifiable health information in violation of HIPAA faces a fine of $50,000 and up to one-year imprisonment.The criminal penalties increase to $100,000 and up to five years imprisonment if the wrongful conduct involves false pretenses, and to $250,000 and up to ten years imprisonment if the wrongful conduct involves the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm. Criminal sanctions will be enforced by the Department of Justice.
Relevant Citation Sources • https://en.wikipedia.org/wiki/Gramm%E2%80%93Leach%E2%80%93Bliley _Act • https://www.hhs.gov/sites/default/files/privacysummary.pdf

Recommended

HIPAA and FDCPA Compliance for Process Servers
HIPAA and FDCPA Compliance for Process ServersHIPAA and FDCPA Compliance for Process Servers
HIPAA and FDCPA Compliance for Process ServersLawgical
 
Patient Privacy Provisions of the HITECH Act Implications for Patients and Sm...
Patient Privacy Provisions of the HITECH Act Implications for Patients and Sm...Patient Privacy Provisions of the HITECH Act Implications for Patients and Sm...
Patient Privacy Provisions of the HITECH Act Implications for Patients and Sm...Xiaoming Zeng
 
General Data Protection Regulation or GDPR
General Data Protection Regulation or GDPRGeneral Data Protection Regulation or GDPR
General Data Protection Regulation or GDPRNupur Samaddar
 
Hipaa,obra ariz
Hipaa,obra arizHipaa,obra ariz
Hipaa,obra arizAriz Krizia
 
Overview on data privacy
Overview on data privacy Overview on data privacy
Overview on data privacy Amiit Keshav Naik
 
Intro to information governance booklet
Intro to information governance bookletIntro to information governance booklet
Intro to information governance bookletGerardo Medina
 
The viability of Personal Health Information MHA690
The viability of Personal Health Information MHA690The viability of Personal Health Information MHA690
The viability of Personal Health Information MHA690camillemaxwell2
 
Hi103 week 5 chpt 13
Hi103 week 5 chpt 13Hi103 week 5 chpt 13
Hi103 week 5 chpt 13BealCollegeOnline
 

Recommended

HIPAA and FDCPA Compliance for Process Servers
HIPAA and FDCPA Compliance for Process ServersHIPAA and FDCPA Compliance for Process Servers
HIPAA and FDCPA Compliance for Process ServersLawgical
 
Patient Privacy Provisions of the HITECH Act Implications for Patients and Sm...
Patient Privacy Provisions of the HITECH Act Implications for Patients and Sm...Patient Privacy Provisions of the HITECH Act Implications for Patients and Sm...
Patient Privacy Provisions of the HITECH Act Implications for Patients and Sm...Xiaoming Zeng
 
General Data Protection Regulation or GDPR
General Data Protection Regulation or GDPRGeneral Data Protection Regulation or GDPR
General Data Protection Regulation or GDPRNupur Samaddar
 
Hipaa,obra ariz
Hipaa,obra arizHipaa,obra ariz
Hipaa,obra arizAriz Krizia
 
Overview on data privacy
Overview on data privacy Overview on data privacy
Overview on data privacy Amiit Keshav Naik
 
Intro to information governance booklet
Intro to information governance bookletIntro to information governance booklet
Intro to information governance bookletGerardo Medina
 
The viability of Personal Health Information MHA690
The viability of Personal Health Information MHA690The viability of Personal Health Information MHA690
The viability of Personal Health Information MHA690camillemaxwell2
 
Hi103 week 5 chpt 13
Hi103 week 5 chpt 13Hi103 week 5 chpt 13
Hi103 week 5 chpt 13BealCollegeOnline
 
HIPAA Audit Implementation
HIPAA Audit ImplementationHIPAA Audit Implementation
HIPAA Audit ImplementationValency Networks
 
Pdpa presentation
Pdpa presentationPdpa presentation
Pdpa presentationAlan Teh
 
HIPAA Compliance
HIPAA ComplianceHIPAA Compliance
HIPAA ComplianceManny Oliverez
 
Hipaa overview 073118
Hipaa overview 073118Hipaa overview 073118
Hipaa overview 073118robint2125
 
Health Insurance Portability and Accountability Act (HIPAA) Compliance
Health Insurance Portability and Accountability Act (HIPAA) ComplianceHealth Insurance Portability and Accountability Act (HIPAA) Compliance
Health Insurance Portability and Accountability Act (HIPAA) ComplianceControlCase
 
HIPAA and Privacy for Researchers
HIPAA and Privacy for ResearchersHIPAA and Privacy for Researchers
HIPAA and Privacy for ResearchersJason Karn
 
Hi103 week 4 chpt 10
Hi103 week 4 chpt 10Hi103 week 4 chpt 10
Hi103 week 4 chpt 10BealCollegeOnline
 
Hm300 week 6
Hm300 week 6 Hm300 week 6
Hm300 week 6 BHUOnlineDepartment
 
Hi103 week 5 chpt 12
Hi103 week 5 chpt 12Hi103 week 5 chpt 12
Hi103 week 5 chpt 12BealCollegeOnline
 
Public sector breakfast club - October 2017, Exeter
Public sector breakfast club - October 2017, ExeterPublic sector breakfast club - October 2017, Exeter
Public sector breakfast club - October 2017, ExeterBrowne Jacobson LLP
 
HIPPA-Health Insurance Portability and Accountability Act
HIPPA-Health Insurance Portability and Accountability ActHIPPA-Health Insurance Portability and Accountability Act
HIPPA-Health Insurance Portability and Accountability ActHarshit Trivedi
 
Hitech changes-to-hipaa
Hitech changes-to-hipaaHitech changes-to-hipaa
Hitech changes-to-hipaageeksikh
 
Hi103 week 5 chpt 14
Hi103 week 5 chpt 14Hi103 week 5 chpt 14
Hi103 week 5 chpt 14BealCollegeOnline
 
Hipaa
HipaaHipaa
Hipaabelziebub
 
DVHIMSS Ensuring Privacy and Security of HIEs in PA
DVHIMSS Ensuring Privacy and Security of HIEs in PADVHIMSS Ensuring Privacy and Security of HIEs in PA
DVHIMSS Ensuring Privacy and Security of HIEs in PAWilliam Buddy Gillespie ITIL Certified
 
Annual HIPAA Training
Annual HIPAA TrainingAnnual HIPAA Training
Annual HIPAA TrainingCynthia Holland
 
Protection of patient data in EU vs. US
Protection of patient data in EU vs. USProtection of patient data in EU vs. US
Protection of patient data in EU vs. USErik R. Ranschaert, MD, PhD
 
HIPAA Security 2019
HIPAA Security 2019HIPAA Security 2019
HIPAA Security 2019Jose Ivan Delgado, Ph.D.
 
What’s Up eDoc?: A Health IT Privacy Primer
What’s Up eDoc?: A Health IT Privacy PrimerWhat’s Up eDoc?: A Health IT Privacy Primer
What’s Up eDoc?: A Health IT Privacy PrimerMaRS Discovery District
 
Adolescent Adoption_Infographic
Adolescent Adoption_InfographicAdolescent Adoption_Infographic
Adolescent Adoption_InfographicSummer Robinson
 
Data management risk management
Data management risk managementData management risk management
Data management risk managementJoseph White MPA CPM
 
Javaee7 jsr356-websocket
Javaee7 jsr356-websocketJavaee7 jsr356-websocket
Javaee7 jsr356-websocketJini Lee
 

More Related Content

What's hot

HIPAA Audit Implementation
HIPAA Audit ImplementationHIPAA Audit Implementation
HIPAA Audit ImplementationValency Networks
 
Pdpa presentation
Pdpa presentationPdpa presentation
Pdpa presentationAlan Teh
 
Hipaa overview 073118
Hipaa overview 073118Hipaa overview 073118
Hipaa overview 073118robint2125
 
Health Insurance Portability and Accountability Act (HIPAA) Compliance
Health Insurance Portability and Accountability Act (HIPAA) ComplianceHealth Insurance Portability and Accountability Act (HIPAA) Compliance
Health Insurance Portability and Accountability Act (HIPAA) ComplianceControlCase
 
HIPAA and Privacy for Researchers
HIPAA and Privacy for ResearchersHIPAA and Privacy for Researchers
HIPAA and Privacy for ResearchersJason Karn
 
Public sector breakfast club - October 2017, Exeter
Public sector breakfast club - October 2017, ExeterPublic sector breakfast club - October 2017, Exeter
Public sector breakfast club - October 2017, ExeterBrowne Jacobson LLP
 
HIPPA-Health Insurance Portability and Accountability Act
HIPPA-Health Insurance Portability and Accountability ActHIPPA-Health Insurance Portability and Accountability Act
HIPPA-Health Insurance Portability and Accountability ActHarshit Trivedi
 
Hitech changes-to-hipaa
Hitech changes-to-hipaaHitech changes-to-hipaa
Hitech changes-to-hipaageeksikh
 
What’s Up eDoc?: A Health IT Privacy Primer
What’s Up eDoc?: A Health IT Privacy PrimerWhat’s Up eDoc?: A Health IT Privacy Primer
What’s Up eDoc?: A Health IT Privacy PrimerMaRS Discovery District
 

What's hot (19)

HIPAA Audit Implementation
HIPAA Audit ImplementationHIPAA Audit Implementation
HIPAA Audit Implementation
 
Pdpa presentation
Pdpa presentationPdpa presentation
Pdpa presentation
 
HIPAA Compliance
HIPAA ComplianceHIPAA Compliance
HIPAA Compliance
 
Hipaa overview 073118
Hipaa overview 073118Hipaa overview 073118
Hipaa overview 073118
 
Health Insurance Portability and Accountability Act (HIPAA) Compliance
Health Insurance Portability and Accountability Act (HIPAA) ComplianceHealth Insurance Portability and Accountability Act (HIPAA) Compliance
Health Insurance Portability and Accountability Act (HIPAA) Compliance
 
HIPAA and Privacy for Researchers
HIPAA and Privacy for ResearchersHIPAA and Privacy for Researchers
HIPAA and Privacy for Researchers
 
Hi103 week 4 chpt 10
Hi103 week 4 chpt 10Hi103 week 4 chpt 10
Hi103 week 4 chpt 10
 
Hm300 week 6
Hm300 week 6 Hm300 week 6
Hm300 week 6
 
Hi103 week 5 chpt 12
Hi103 week 5 chpt 12Hi103 week 5 chpt 12
Hi103 week 5 chpt 12
 
Public sector breakfast club - October 2017, Exeter
Public sector breakfast club - October 2017, ExeterPublic sector breakfast club - October 2017, Exeter
Public sector breakfast club - October 2017, Exeter
 
HIPPA-Health Insurance Portability and Accountability Act
HIPPA-Health Insurance Portability and Accountability ActHIPPA-Health Insurance Portability and Accountability Act
HIPPA-Health Insurance Portability and Accountability Act
 
Hitech changes-to-hipaa
Hitech changes-to-hipaaHitech changes-to-hipaa
Hitech changes-to-hipaa
 
Hi103 week 5 chpt 14
Hi103 week 5 chpt 14Hi103 week 5 chpt 14
Hi103 week 5 chpt 14
 
Hipaa
HipaaHipaa
Hipaa
 
DVHIMSS Ensuring Privacy and Security of HIEs in PA
DVHIMSS Ensuring Privacy and Security of HIEs in PADVHIMSS Ensuring Privacy and Security of HIEs in PA
DVHIMSS Ensuring Privacy and Security of HIEs in PA
 
Annual HIPAA Training
Annual HIPAA TrainingAnnual HIPAA Training
Annual HIPAA Training
 
Protection of patient data in EU vs. US
Protection of patient data in EU vs. USProtection of patient data in EU vs. US
Protection of patient data in EU vs. US
 
HIPAA Security 2019
HIPAA Security 2019HIPAA Security 2019
HIPAA Security 2019
 
What’s Up eDoc?: A Health IT Privacy Primer
What’s Up eDoc?: A Health IT Privacy PrimerWhat’s Up eDoc?: A Health IT Privacy Primer
What’s Up eDoc?: A Health IT Privacy Primer
 

Viewers also liked

Adolescent Adoption_Infographic
Adolescent Adoption_InfographicAdolescent Adoption_Infographic
Adolescent Adoption_InfographicSummer Robinson
 
Javaee7 jsr356-websocket
Javaee7 jsr356-websocketJavaee7 jsr356-websocket
Javaee7 jsr356-websocketJini Lee
 
diapositivas de historia del computador
diapositivas de historia del computadordiapositivas de historia del computador
diapositivas de historia del computadorlaura Monsalve J
 
Opciones para una transición energética sustentable (oxkutzcab)
Opciones para una transición energética sustentable (oxkutzcab)Opciones para una transición energética sustentable (oxkutzcab)
Opciones para una transición energética sustentable (oxkutzcab)Jovany González
 
Internship report
Internship reportInternship report
Internship reportMomina Bibi
 
Data analysis research (relatability study)
Data analysis research (relatability study)Data analysis research (relatability study)
Data analysis research (relatability study)Joseph White MPA CPM
 
Enterprise Usability: The Olive Garden Principle
Enterprise Usability: The Olive Garden PrincipleEnterprise Usability: The Olive Garden Principle
Enterprise Usability: The Olive Garden PrincipleDylan Wilbanks
 

Viewers also liked (9)

Adolescent Adoption_Infographic
Adolescent Adoption_InfographicAdolescent Adoption_Infographic
Adolescent Adoption_Infographic
 
Data management risk management
Data management risk managementData management risk management
Data management risk management
 
Javaee7 jsr356-websocket
Javaee7 jsr356-websocketJavaee7 jsr356-websocket
Javaee7 jsr356-websocket
 
Estudiante leidy
Estudiante leidyEstudiante leidy
Estudiante leidy
 
diapositivas de historia del computador
diapositivas de historia del computadordiapositivas de historia del computador
diapositivas de historia del computador
 
Opciones para una transición energética sustentable (oxkutzcab)
Opciones para una transición energética sustentable (oxkutzcab)Opciones para una transición energética sustentable (oxkutzcab)
Opciones para una transición energética sustentable (oxkutzcab)
 
Internship report
Internship reportInternship report
Internship report
 
Data analysis research (relatability study)
Data analysis research (relatability study)Data analysis research (relatability study)
Data analysis research (relatability study)
 
Enterprise Usability: The Olive Garden Principle
Enterprise Usability: The Olive Garden PrincipleEnterprise Usability: The Olive Garden Principle
Enterprise Usability: The Olive Garden Principle
 

Similar to Data Management Protection Acts

HIPAA and HITECH : What you need to know
HIPAA and HITECH : What you need to knowHIPAA and HITECH : What you need to know
HIPAA and HITECH : What you need to knowShred-it
 
HIPAA Privacy for Employers 101
HIPAA Privacy for Employers 101HIPAA Privacy for Employers 101
HIPAA Privacy for Employers 101benefitexpress
 
Technology, policy, privacy and freedom
Technology, policy, privacy and freedomTechnology, policy, privacy and freedom
Technology, policy, privacy and freedomG Prachi
 
HIPAA Training: Privacy Review and Audit Survival Guide
HIPAA Training: Privacy Review and Audit Survival GuideHIPAA Training: Privacy Review and Audit Survival Guide
HIPAA Training: Privacy Review and Audit Survival Guidebenefitexpress
 
PHIE Privacy Guidelines
PHIE Privacy GuidelinesPHIE Privacy Guidelines
PHIE Privacy GuidelinesRomsty
 
Legal implications of HIPAA, HITECH and BAAs
Legal implications of HIPAA, HITECH and BAAsLegal implications of HIPAA, HITECH and BAAs
Legal implications of HIPAA, HITECH and BAAsOnline Tech
 
Imac 2011
Imac 2011Imac 2011
Imac 2011sebmojo
 
Privacy & security training.pptx
Privacy & security training.pptxPrivacy & security training.pptx
Privacy & security training.pptxQmcleod
 
Privacy & security training.pptx
Privacy & security training.pptxPrivacy & security training.pptx
Privacy & security training.pptxQmcleod
 
Ruggiero.hipaa training
Ruggiero.hipaa trainingRuggiero.hipaa training
Ruggiero.hipaa trainingGina Ruggiero
 
2013 06-21 HIPPA omnibus rule
2013 06-21 HIPPA omnibus rule2013 06-21 HIPPA omnibus rule
2013 06-21 HIPPA omnibus ruleDusaElraha
 
Ann Cavoukian Presentation
Ann Cavoukian PresentationAnn Cavoukian Presentation
Ann Cavoukian PresentationCityAge
 
HIPAA Rights Privacy and Enforcements RD.pptx
HIPAA Rights Privacy and Enforcements RD.pptxHIPAA Rights Privacy and Enforcements RD.pptx
HIPAA Rights Privacy and Enforcements RD.pptxRAJIV RANJAN DAS
 
HIPAA – Where’s the Harm? Final Rule Update
HIPAA – Where’s the Harm? Final Rule Update HIPAA – Where’s the Harm? Final Rule Update
HIPAA – Where’s the Harm? Final Rule Update Resilient Systems
 
The viability of personal health related information
The viability of personal health related information The viability of personal health related information
The viability of personal health related information camillemaxwell2
 
Becoming HITECH - 9/2009
Becoming HITECH - 9/2009Becoming HITECH - 9/2009
Becoming HITECH - 9/2009rogersons
 
TrustArc Webinar - Privacy in Healthcare_ Ensuring Data Security
TrustArc Webinar - Privacy in Healthcare_ Ensuring Data SecurityTrustArc Webinar - Privacy in Healthcare_ Ensuring Data Security
TrustArc Webinar - Privacy in Healthcare_ Ensuring Data SecurityTrustArc
 

Similar to Data Management Protection Acts (20)

HIPAA and HITECH : What you need to know
HIPAA and HITECH : What you need to knowHIPAA and HITECH : What you need to know
HIPAA and HITECH : What you need to know
 
HIPAA Privacy for Employers 101
HIPAA Privacy for Employers 101HIPAA Privacy for Employers 101
HIPAA Privacy for Employers 101
 
Technology, policy, privacy and freedom
Technology, policy, privacy and freedomTechnology, policy, privacy and freedom
Technology, policy, privacy and freedom
 
HIPAA Training: Privacy Review and Audit Survival Guide
HIPAA Training: Privacy Review and Audit Survival GuideHIPAA Training: Privacy Review and Audit Survival Guide
HIPAA Training: Privacy Review and Audit Survival Guide
 
PHIE Privacy Guidelines
PHIE Privacy GuidelinesPHIE Privacy Guidelines
PHIE Privacy Guidelines
 
Legal implications of HIPAA, HITECH and BAAs
Legal implications of HIPAA, HITECH and BAAsLegal implications of HIPAA, HITECH and BAAs
Legal implications of HIPAA, HITECH and BAAs
 
Imac 2011
Imac 2011Imac 2011
Imac 2011
 
Privacy & security training.pptx
Privacy & security training.pptxPrivacy & security training.pptx
Privacy & security training.pptx
 
Privacy & security training.pptx
Privacy & security training.pptxPrivacy & security training.pptx
Privacy & security training.pptx
 
Ruggiero.hipaa training
Ruggiero.hipaa trainingRuggiero.hipaa training
Ruggiero.hipaa training
 
Hipaa training
Hipaa trainingHipaa training
Hipaa training
 
2013 06-21 HIPPA omnibus rule
2013 06-21 HIPPA omnibus rule2013 06-21 HIPPA omnibus rule
2013 06-21 HIPPA omnibus rule
 
HNI U: HIPAA Essentials
HNI U: HIPAA EssentialsHNI U: HIPAA Essentials
HNI U: HIPAA Essentials
 
Ann Cavoukian Presentation
Ann Cavoukian PresentationAnn Cavoukian Presentation
Ann Cavoukian Presentation
 
HIPAA Rights Privacy and Enforcements RD.pptx
HIPAA Rights Privacy and Enforcements RD.pptxHIPAA Rights Privacy and Enforcements RD.pptx
HIPAA Rights Privacy and Enforcements RD.pptx
 
HIPAA – Where’s the Harm? Final Rule Update
HIPAA – Where’s the Harm? Final Rule Update HIPAA – Where’s the Harm? Final Rule Update
HIPAA – Where’s the Harm? Final Rule Update
 
The viability of personal health related information
The viability of personal health related information The viability of personal health related information
The viability of personal health related information
 
Becoming HITECH - 9/2009
Becoming HITECH - 9/2009Becoming HITECH - 9/2009
Becoming HITECH - 9/2009
 
TrustArc Webinar - Privacy in Healthcare_ Ensuring Data Security
TrustArc Webinar - Privacy in Healthcare_ Ensuring Data SecurityTrustArc Webinar - Privacy in Healthcare_ Ensuring Data Security
TrustArc Webinar - Privacy in Healthcare_ Ensuring Data Security
 
HIPAA2
HIPAA2HIPAA2
HIPAA2
 

Data Management Protection Acts

  • 1. Data Management 101 Data Management Protection Acts Joe White
  • 2. Gramm - Leach - Bliley Act • Passed in 1999 • Directed toward Financial Firms that manage PPI • Firms must explain their information sharing practices to their customers • Firms must instill safeguards to all data created, provisioned, stored, and destroyed
  • 3. Firms that GLB act applies to… • Non Bank Mortgage Lenders • Real Estate Appraisers • Loan Brokers • Investment Advisers • Debt Collectors • Tax Return Preparers • Banks • Real Estate Settlement Providers
  • 4. Definition of a Customer(1) Definition: A "consumer" is an individual who obtains or has obtained a financial product or service from a financial institution that is to be used primarily for personal, family, or household purposes, or that individual's legal representative. Examples of consumer relationships: •Applying for a loan •Obtaining cash from a foreign ATM, even if it occurs on a regular basis •Cashing a check with a check-cashing company •Arranging for a wire transfer
  • 5. Definition of a Customer(2) Definition: A "customer" is a consumer who has a "customer relationship" with a financial institution. A "customer relationship" is a continuing relationship with a consumer. Examples of establishing a customer relationship: •Opening a credit card account with a financial institution •Entering into an automobile lease (on a non-operating basis for an initial lease term of at least 90 days) • with an automobile dealer •Providing personally identifiable financial information to a broker in order to obtain a mortgage loan •Obtaining a loan from a mortgage lender •Agreeing to obtain tax preparation or credit counseling services
  • 6. Financial Security Plan • Firms must complete a written security plan • Plans must match the size and complexity of the firm • Plans must match the scope of the firm • Plans must consist of: • 1 employee in charge • Identify and assess risks in each area of operation • Evaluate effectiveness of plan • Create a safeguards program • Audit and select service providers with appropriate safeguards • Evaluate and change programs based on recent circumstances
  • 7. 3 Areas of Information Security for Firm Focus • EmployeeTraining (social engineering, warning signs, traps) • Information Systems (upgrades, software, data management) • Detecting System Failures(zero days, integrations, upgrades)
  • 8. Create Proper Organizational Policy• Create Relevant Policy based of history and facts • Assign responsible employee • Build bridges with similar organizations • Establish a cycle of review and updates • Create Law Enforcement Notification Plan • Chain of Command • Phone numbers and Emails • Annual Meetings and Conferences • Impose Disciplinary actions for policy violations • Create uniformity and understanding of consequences • Data Disposition and Purge Routines • MonitorWebsites and Software
  • 9. HIPAA (Health Insurance Portability and Accountability Act) • Created in 1996 • Created by the Department of Health and Human Services • Focuses on the electronic exchange, privacy, and storage of healthcare information • Opened the law up for modifications in 2002 • Received over 11,000 comments
  • 10. Interested Parties • The Privacy Rule, as well as all the Administrative Simplification rules, apply to: • health plans • health care clearinghouses • health care provider who transmits health information in electronic form • Business Associate Contractor/Consultant
  • 11. Privacy applies to PHI (Private Healthcare Info) • “Individually identifiable health information” is information, including demographic data, that relates to: • the individual’s past, present or future physical or mental health or condition • the provision of health care to the individual, or the past, present, or future payment for the provision of health care to the individual, • identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual. • Individually identifiable health information • includes many common identifiers (e.g name, address, birth date, Social Security Number).
  • 12. Basic Principle of HIPAA • A major purpose of the Privacy Rule is to define and limit the circumstances in which an individual’s protected health information may be used or disclosed by covered entities. A covered entity may not use or disclose protected health information, except either: • (1) as the Privacy Rule permits or requires; • (2) as the individual who is the subject of the information (or the individual’s personal representative) authorizes in writing.
  • 13. Required Disclosures • A covered entity must disclose protected health information in only two situations: • (a) to individuals (or their personal representatives) specifically when they request access to, or an accounting of disclosures of, their protected health information; and • (b) to HHS when it is undertaking a compliance investigation or review or enforcement action.
  • 14. Permitted Disclosures • A covered entity is permitted, but not required, to use and disclose protected health information, without an individual’s authorization, for the following purposes or situations: • (1) To the Individual (unless required for access or accounting of disclosures) • (2) Treatment, Payment, and Health Care Operations • (3) Opportunity to Agree or Object • (4) Incident to an otherwise permitted use and disclosure • (5) Public Interest and Benefit Activities; and OCR Privacy Rule Summary • (6) Limited Data Set for the purposes of research, public health or health care operations.
  • 15. 1.To the Individual • A covered entity may disclose protected health information to the individual who is the subject of the information.
  • 16. 2.ToTreatment, Payment, Health Care Operations • A covered entity may use and disclose protected health information for its own treatment, payment, and health care operations activities. • A covered entity also may disclose protected health information for the treatment activities of any health care provider, the payment activities of another covered entity and of any health care provider, or the health care operations of another covered entity involving either quality or competency assurance activities or fraud and abuse detection and compliance activities, if both covered entities have or had a relationship with the individual and the protected health information pertains to the relationship.
  • 17. 3. For Uses and Disclosures with Opportunity to Agree or Object • permission may be obtained by asking the individual outright, or by circumstances that clearly give the individual the opportunity to agree, acquiesce, or object. Where the individual is incapacitated, in an emergency situation, or not available, covered entities generally may make such uses and disclosures, if in the exercise of their professional judgment, the use or disclosure is determined to be in the best interests of the individual.
  • 18. 4. Incidental Use and Disclosure. • The Privacy Rule does not require that every risk of an incidental use or disclosure of protected health information be eliminated. A use or disclosure of this information that occurs as a result of, or as “incident to,” an otherwise permitted use or disclosure is permitted as long as the covered entity has adopted reasonable safeguards as required by the Privacy Rule, and the information being shared was limited to the “minimum necessary,” as required by the Privacy Rule.
  • 19. 5. For Public Interest and Benefit Activities. • The Privacy Rule permits use and disclosure of protected health information, without an individual’s authorization or permission, for 12 national priority purposes.These disclosures are permitted, although not required, by the Rule in recognition of the important uses made of health information outside of the health care context. Specific conditions or limitations apply to each public interest purpose, striking the balance between the individual privacy interest and the public interest need for this information.
  • 20. 12 Public Interest Purposes for disclosure • Required by Law • Public Health Activities • Victims of Abuse, Neglect or DomesticViolence • Health OversightActivities • Judicial and Administrative Proceedings • Law Enforcement Purposes • Decedents • Cadaveric Organ, Eye, or Tissue Donation • Research • SeriousThreat to Health or Safety • EssentialGovernment Functions • Workers’ Compensation
  • 21. 6. Limited Data Set • A limited data set is protected health information from which certain specified direct identifiers of individuals and their relatives, household members, and employers have been removed. • A limited data set may be used and disclosed for research, health care operations, and public health purposes, provided the recipient enters into a data use agreement promising specified safeguards for the protected health information within the limited data set.
  • 22. Minimum Necessary Requirement • A central aspect of the Privacy Rule is the principle of “minimum necessary” use and disclosure. A covered entity must make reasonable efforts to use, disclose, and request only the minimum amount of protected health information needed to accomplish the intended purpose of the use, disclosure, or request. • A covered entity must develop and implement policies and procedures to reasonably limit uses and disclosures to the minimum necessary. When the minimum necessary standard applies to a use or disclosure, a covered entity may not use, disclose, or request the entire medical record for a particular purpose, unless it can specifically justify the whole record as the amount reasonably needed for the purpose.
  • 23. Internal Access and Uses of PHI data • For internal uses, a covered entity must develop and implement policies and procedures that restrict access and uses of protected health information based on the specific roles of the members of their workforce. These policies and procedures must identify the persons, or classes of persons, in the workforce who need access to protected health information to carry out their duties, the categories of protected health information to which access is needed, and any conditions under which they need the information to do their jobs.
  • 24. Establishing Routines for Data Disclosures • Covered entities must establish and implement policies and procedures (which may be standard protocols) for routine, recurring disclosures, or requests for disclosures, that limits the protected health information disclosed to that which is the minimum amount reasonably necessary to achieve the purpose of the disclosure. Individual review of each disclosure is not required. For non- routine, non-recurring disclosures, or requests for disclosures that it makes, covered entities must develop criteria designed to limit disclosures to the information reasonably necessary to accomplish the purpose of the disclosure and review each of these requests individually in accordance with the established criteria.
  • 25. Reasonable Professional Reliance • If another covered entity makes a request for protected health information, a covered entity may rely, if reasonable under the circumstances, on the request as complying with this minimum necessary standard. Similarly, a covered entity may rely upon requests as being the minimum necessary protected health information from: • (a) a public official • (b) a professional (such as an attorney or accountant) who is the covered entity’s business associate, seeking the information to provide services to or for the covered entity • (c) a researcher who provides the documentation or representation required by the Privacy Rule for research.
  • 26. State vs Federal Exception • Federal regulations trump all state regulations unless… • It is necessary to prevent fraud and abuse related to the provision of or payment for health care, • It is necessary to ensure appropriate State regulation of insurance and health plans to the extent expressly authorized by statute or regulation, • It is necessary for State reporting on health care delivery or costs, • It is necessary for purposes of serving a compelling public health, safety, or welfare need, and, if a Privacy Rule provision is at issue, if the Secretary determines that the intrusion into privacy is warranted when balanced against the need to be served; or • Has as its principal purpose the regulation of the manufacture, registration, distribution, dispensing, or other control of any controlled substances (as defined in 21 U.S.C. 802), or that is deemed a controlled substance by State law.
  • 27. Law Enforcement Penalties and Sanctions(1) • Civil Money Penalties • HHS may impose civil money penalties on a covered entity of $100 per failure to comply with a Privacy Rule requirement. That penalty may not exceed $25,000 per year for multiple violations of the identical Privacy Rule requirement in a calendar year. HHS may not impose a civil money penalty under specific circumstances, such as when a violation is due to reasonable cause and did not involve willful neglect and the covered entity corrected the violation within 30 days of when it knew or should have known of the violation.
  • 28. Law Enforcement Penalties and Sanctions(2) • Criminal Penalties. • A person who knowingly obtains or discloses individually identifiable health information in violation of HIPAA faces a fine of $50,000 and up to one-year imprisonment.The criminal penalties increase to $100,000 and up to five years imprisonment if the wrongful conduct involves false pretenses, and to $250,000 and up to ten years imprisonment if the wrongful conduct involves the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm. Criminal sanctions will be enforced by the Department of Justice.
  • 29. Relevant Citation Sources • https://en.wikipedia.org/wiki/Gramm%E2%80%93Leach%E2%80%93Bliley _Act • https://www.hhs.gov/sites/default/files/privacysummary.pdf