SlideShare a Scribd company logo

Training Your Business Associate Workforce: Understanding Obligations and Risk Exposure

Download as PPTX, PDF
NJVC, LLC
NJVC, LLC

As healthcare data breaches continue to rise in number and negative attention generated, understanding the importance of training your business associate workforce as well as implementing the best practices of cyber security through your organization is a requisite for every healthcare provider. Phyllis A. Patrick, founder and president of Phyllis A. Patrick Associates and NJVC Cyber Security Principal Robert J. Michalsky, explain how to implement an effective business associate training program to help ensure compliance with the HIPAA omnibus rule, and explain why improving your cyber security posture is just as important as regulatory compliance.

HealthcareTechnologyEducation
1 of 31
Training Your BA Workforce: Understanding Obligations and Risk Exposure June 26, 2014 Phyllis A. Patrick, MBA, FACHE,CISM, CHC Robert J. Michalsky, CISSP, CSSLP
Session Topics • Training and Awareness Requirements: HIPAA Security and Privacy Rules • Key Components of Effective Security and Privacy Awareness Programs • Breach Cases: Developing Strategies to Use Training and Awareness Programs to Minimize Risk Exposure 2 Understanding HIPAA Omnibus Obligations of Business Associates
Training and Awareness Requirements Understanding HIPAA Omnibus Obligations of Business Associates 3
Legislative History and BA Obligations 1996 2005 20092003 20132010 BAs required to comply with interim final breach notification rule (9/23/09); BAs liable for certain privacy and security requirements under HITECH (2/18/10). Understanding HIPAA Omnibus Obligations of Business Associates 4
The Omnibus (Final) Rule • Most significant change in the four Rules (privacy, security, breach, enforcement) is the impact on Business Associates. • BAs have had contractual obligations to comply with HIPAA Privacy Rule (2003) and Security Rule (2005). • HITECH  BAs subject to statutory penalties for failure to comply with the HIPAA Privacy, Security, and Breach Notification Rules (45 CFR Parts 160 and 164, subpart E; 45 CFR parts 160 and 164, subpart C; 45 CFR parts 160 and 164, subpart D). • HITECH implementing regs proposed including subcontractors in definition of BA. • BAs now subject to legal obligations and enforcement risk. Understanding HIPAA Omnibus Obligations of Business Associates 5
Who are sub-contractors? • “Sub-contractor” includes those acting on behalf of a sub-contractor. • HIPAA requirements apply all the way down the sub- contracting chain as far as the PHI flows. • Covered Entities must ensure that they obtain satisfactory assurances (in the form of a BAA) from their Business Associates, and Business Associates must do the same with regard to Sub-contractors, and so on, no matter how far down the chain the PHI flows. • Both the contractor and all of sub-contractors are Business Associates under the Final Rule to the extent they create, receive, maintain, or transmit PHI. Understanding HIPAA Omnibus Obligations of Business Associates 6
Sub-contractor Issues • Sub-contractors must understand their responsibilities re. HIPAA compliance  who communicates this information to the sub-contractor and how? What is included in the contract and/or the BAA to codify this? • Business Associates must enter into agreements with their sub-contractors that include the same terms that have always been required for Business Associate Agreements. Understanding HIPAA Omnibus Obligations of Business Associates 7
Sub-contractor Issues (Cont’d) • Challenge: HHS does not address the difficulty that companies handling information might face if they never know that they are a Subcontractor handling PHI. • Service providers handling identifiable should consider seeking representations and warranties from their customers that such customers are not Business Associates under HIPAA. • Subcontractors must take care to include appropriate privacy and security language in their agreements where they are sharing PHI with vendors and suppliers. Understanding HIPAA Omnibus Obligations of Business Associates 8
HIPAA Security Rule • Covered entities (and business associates) must “Implement a security awareness and training program for all members of its workforce (including management).” CFR 164.308(a)(5)(i) • Implementation Specifications include:  Security Reminders – “Periodic security updates”  Protection from Malicious Software – “Procedures for guarding against, detecting, and reporting malicious software”  Log-in Monitoring – “Procedures for monitoring log-in attempts and reporting discrepancies”  Password Management – “Procedures for creating, changing, and safeguarding passwords.” CFR 143.308(a)(5)(ii)(A), (B),(C ), and (D) Understanding HIPAA Omnibus Obligations of Business Associates 9
Training & Awareness Requirements • Security training required for all new and existing members of the covered entity’s (and business associate’s and sub-contractor’s) workforce • Periodic retraining should be given whenever environmental or operational changes affect security of ePHI. • Changes may include:  new or updated policies and procedures; new or upgraded software or hardware;  new security technology; or  changes in the Security Rule. Understanding HIPAA Omnibus Obligations of Business Associates 10
Security Awareness Training Documentation • Covered entities (and BAs and sub-contractors) must document the security reminders they implement. Documentation: include type of reminder, message, date of implementation. • Examples:  Notices (electronic or printed)  Agenda Items and Discussion Topics (Monthly Meetings)  Postings/focused reminders  Formal re-training on policies and procedures • Consider if practices are reasonable and appropriate. • Determine if other forms of security reminders are needed. Understanding HIPAA Omnibus Obligations of Business Associates 11
Security awareness training must be ongoing…. • Workforce must be trained regarding its role in protecting against malicious software and system protection capabilities. • Training must be ongoing for all organizations. • Workforce must be aware of log-in attempts that are not appropriate. • Workforce must be trained in how to safeguard password information, including guidelines for creating passwords and changing them during periodic change cycles. Understanding HIPAA Omnibus Obligations of Business Associates 12
HIPAA Privacy Rule • Workforce Training and Management  Workforce members include employees, volunteers, trainees, and may also include other persons whose conduct is under the direct control of the entity (whether or not they are paid by the entity). 45 CFR 160.103 • A covered entity must train all workforce members on its privacy policies and procedures, as necessary and appropriate for them to carry out their functions. 45 CFR 164.530(b) • A covered entity must have and apply appropriate sanctions against workforce members who violate its privacy policies and procedures or the Privacy Rule. 45 CFR 164.530(e) Understanding HIPAA Omnibus Obligations of Business Associates 13
Privacy Rule Training Requirements • Requires training so that workforce members understand the privacy procedures. • Training may be scaled to the type of organization and size of workforce. • Privacy training must be provided to all workforce members, as necessary and appropriate to their functions. • Rule does not specify how often training should be conducted or specific content. • Suggest that training include Minimum Necessary standard and requirements (45 CFR 164.502(b), 164.514(d)) • Training must be documented. Understanding HIPAA Omnibus Obligations of Business Associates 14
Interrelationships: Privacy and Security Rules • Security requirements include a set of tools for ensuring compliance with the Privacy Rule as well as the Security Rule. • The Security Rule provides detailed requirements, which protect only ePHI. • The Privacy Rule safeguards provision, 45 CFR § 164.530(c), is more general and protects the privacy of all PHI, not just ePHI. • Both Rules require covered entities (and BAs) to:  Implement policies  Ensure accountability for compliance  Limit access to PHI  Conduct workforce training  Safeguard PHI Understanding HIPAA Omnibus Obligations of Business Associates 15
Effective Privacy and Security Awareness Training Programs Understanding HIPAA Omnibus Obligations of Business Associates 16
Key Components of Effective Training Programs • Engage the workforce. • Make training interesting. • Use Scenario-based training modules  lessons learned. • Apply headline and prominent cases to the organization’s work environment. Include cases where BAs have been involved in data breaches. • Establish a mix of media and teaching approaches. • Training should emphasize security and privacy requirements of all laws that apply to the organization. HIPAA is just one. Understanding HIPAA Omnibus Obligations of Business Associates 17
Key Components (Cont’d) • Make training personal – how do these concepts fit with employees’ life outside work? Make it relevant to protecting employees’ confidential information. • Include everyone from senior leaders to front-line staff. • Train in small doses and train often. • Select key themes and develop a mix of awareness materials to emphasize and reinforce key concepts, and help employees to know what to do in cases of possible data breaches or other situations which can harm confidential material. • Cover contemporary threats. Understanding HIPAA Omnibus Obligations of Business Associates 18
Key Components (Cont’d) • Test knowledge, not just after the training module, but later…. • Include good behaviors that protect the individual’s privacy and that of the organization. • Provide links to resources for those who want to go further. • Train on policies. Make sure policies are easily accessed and employees know where they are. • Be sure to include contractors and sub-contractors in training programs. • Document training for all workforce members. Remember: Employees may be the weak link in your security. Understanding HIPAA Omnibus Obligations of Business Associates 19
Understanding HIPAA Omnibus Obligations of Business Associates 20  Consulting consortium providing strategic planning, information security, and privacy services to the healthcare industry and business associates.  Practical approach to information security and privacy program development and enhancement based on consultants’ experiences as senior executives in healthcare organizations.  Expertise in information security and privacy program development, technical security, legal services, hospital management, healthcare operations, compliance, information technology, disaster recovery and business continuity, cyber security, health information management, hospital and commercial clinical laboratory operations, physician practice development, government sector, medicine, pharmaceutical compliance, health information exchange.  Working relationships with industry leaders and government agencies, including CMS and OCR. Successful work history with regulators. SECURITY | PRIVACY | CULTURE
USING DATA BREACHES TO RAISE AWARENESS Security Incident An event that compromise the Confidentiality, Integrity, Availability (CIA) of PHI 21 Breach An incident that results in the disclosure or potential exposure of data Data disclosure A breach for which it was confirmed that data was actually disclosed (not just exposed) to an unauthorized party Understanding HIPAA Omnibus Obligations of Business Associates HIPAA Breach “The acquisition, access, use, or disclosure of PHI in a manner not permitted by the Privacy Rule which compromises the security or privacy of the PHI
Current state of Data Breaches • Wide range of threat actions (footprint) – Over 20 distinct attack methods found in data set of confirmed security incidents • Attack methods change every year – E.g. Brute force #1 method in 2009, # 12 in 2013 • Financial motivations still highest factor • Network devices are only a conduit in breaches – Servers, user devices are prime targets • ‘Time to compromise’ is far less than ‘time to discovery’ Understanding HIPAA Omnibus Obligations of Business Associates 22 Source: 2014 Verizon Data Breach Investigations Report (DBIR)
Why focus on training users? • Healthcare has the highest data breach cost per capita than any other industry ($359, avg = $145) • Strong security posture has the single greatest influence on reducing the cost of a data breach • Reputation and loss of customer loyalty does the most damage to the bottom line Understanding HIPAA Omnibus Obligations of Business Associates 23 Source: Ponemon Institute Reports And yet… • Only 68% of organizations have a formal privacy training program – 32% designate such training as mandatory – 38% provide specialized training – 44% assess the program for effectiveness
Role of Business Associates • Over 20% of ALL HHS breach incidents on the ‘Wall of Shame’ involve BA – Approximately 200 of the more than 1000 posted incidents (June, 2014) Understanding HIPAA Omnibus Obligations of Business Associates 24 Source: Health & Human Services (HHS) Most notably… • The all time largest event – TRICARE Sept 2011 breach of 4.9 m records – Due to a BA 90% of all healthcare organizations report one or more data breaches 38% of all healthcare organizations report five or more data breaches Source: Ponemon Institute
Macro perspectives • 94% of confirmed data breaches fall into only nine patterns of compromise – POS Intrusions – Web app-attacks – Insider Misuse – Physical Theft/loss – Miscellaneous errors – Crimeware – Card skimmers – DoS Attacks – Cyber espionage – Everything else Understanding HIPAA Omnibus Obligations of Business Associates 25 Healthcare Industry 46% of ALL incidents This is more than twice the rate of ANY other industry Next highest pattern: Insider Misuse (15%)
Physical Theft and Loss • Incidents due to ‘loss’ are an astounding 15 times the volume due to ‘theft’ – Two mitigation options: 1. Reduce quantity of events 2. Reduce impact of each event • For #1 - Awareness and training can be a key first step • For #2 – Encryption is essential – a ‘no brainer’ Understanding HIPAA Omnibus Obligations of Business Associates 26 Legal and regulatory reporting requirements suggests a high degree of compliance Primary root cause: Carelessness Keep data close, PHI closer Devices in work areas are not ‘safe’ – even servers Include law enforcement crime reduction tips in awareness training Move PHI to secure storage locations
The Solution? Awareness • Loss, theft of data • Insider misuse – Where is PHI? – How can PHI be accessed and used? – Why is that data on a mobile device? – How is that mobile device protected? – Is PHI protected on every storage device and server? – How are user privilege abuses discovered? Encryption • Across all phases – Data at rest – Data in use – Data in transit • Need proof for auditors Understanding HIPAA Omnibus Obligations of Business Associates 27 Relative Fixes: Loss of data – EASY Insider misuse - HARD
Corporate Overview 28  Leading Technology Services Integrator • Founded 2001 • Origins in the Intelligence Community, Military and Federal markets • Focus on IT automation for enterprise level engagements  Dedicated Workforce of over 1400 • Majority hold security clearances • 625 hold one or more professional Cyber Security certifications • Over 80 full time cyber security engineers  Developer of Advanced Cyber Analytics Capabilities • Network scanning, device and malware detection algorithms • Data log and sensor feed integration • Cyber Dashboard visualization With over $500 million in annual revenue, NJVC has a proven record of providing performance, commitment and value to our clients.
Tools and Resources • CMS, HIPAA Security Series, Volume 2, Paper 2, Security Standards: Administrative Safeguards, May 2005. Revised March 2007 – http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/adminsafeguards.pdf • NJVC White paper “Raising Cyber Security Awareness for Healthcare Professionals” – http://www.njvc.com/resource-center/white-papers-and-case-studies • SAS Training Modules – Awareness Training Modules – http://www.securingthehuman.org/enduser/demo-training-lab • Examples of SANS Modules: – You Are A Target – Social Engineering – Email & Instant Messaging – Browsing – Social Networking – Mobile Device Security – Passwords – Encryption – ETC… 29 Understanding HIPAA Omnibus Obligations of Business Associates
Tools and Resources (Cont’d) • Symantec Security Awareness Tech Center. Examples: Security awareness while traveling, Social Media Awareness, ETC. – http://techcenter.symantec.com/ecampus/enterprise?siteName=sena&partNo=SA1000 • Ponemon Institute, Digital Defense SecurED: Experimental Analysis of Training Effectiveness, July 16, 2013. • Ponemon Institute, 2014 Cost of Data Breach Study: Global Analysis – http://www.ponemon.org/blog/ponemon-institute-releases-2014-cost-of-data-breach-global- analysis • Ponemon Institute, Fourth Annual Benchmark Study on Patient Privacy & Data Security – http://www2.idexpertscorp.com/ponemon-report-on-patient-privacy-data-security-incidents/ • Verizon Data Breach Investigations Report (2014) – http://www.verizonenterprise.com/DBIR/2014/?gclid=CL2nwPqfhr4CFYt9Ogod7QUAaw • Redspin Breach Report 2013 (Protected Health Information – PHI – Feb 2014) – http://www.redspin.com/resources/whitepapers-datasheets/Request-2013-Breach-Report- Protected-Health-Information-PHI-Redspin.php Understanding HIPAA Omnibus Obligations of Business Associates 30
Contact Information Robert Michalsky Principal, Cyber Security NJVC Robert.michalsky@njvc.com 703-429-9593 Twitter: RobertMichalsky Phyllis Patrick Phyllis A. Patrick & Associates LLC Phyllis@phyllispatrick.com 914-696-3622 31Understanding HIPAA Omnibus Obligations of Business Associates

Recommended

Ch14 Policies and Legislation
Ch14 Policies and LegislationCh14 Policies and Legislation
Ch14 Policies and Legislation
Information Technology
 
BD2K and the Commons : ELIXR All Hands
BD2K and the Commons : ELIXR All Hands BD2K and the Commons : ELIXR All Hands
BD2K and the Commons : ELIXR All Hands
Vivien Bonazzi
 
Chestnut II Stonebridge
Chestnut II StonebridgeChestnut II Stonebridge
Chestnut II Stonebridge
lrollins_DRB
 
How to Close Period in Oracle Apps Inventory
How to Close Period in Oracle Apps Inventory How to Close Period in Oracle Apps Inventory
How to Close Period in Oracle Apps Inventory
Bizinsight Consulting Inc
 
Filing and record keeping
Filing and record keepingFiling and record keeping
Filing and record keeping
mahamed_11
 
Effective Records Management Introduction
Effective Records Management IntroductionEffective Records Management Introduction
Effective Records Management Introduction
Fe Angela Verzosa
 
10 things HR transformation
10 things HR transformation 10 things HR transformation
10 things HR transformation
Rob Scott
 
Orthographic Projection
Orthographic ProjectionOrthographic Projection
Orthographic Projection
Presario Nyioq
 

Recommended

Ch14 Policies and Legislation
Ch14 Policies and LegislationCh14 Policies and Legislation
Ch14 Policies and Legislation
Information Technology
 
BD2K and the Commons : ELIXR All Hands
BD2K and the Commons : ELIXR All Hands BD2K and the Commons : ELIXR All Hands
BD2K and the Commons : ELIXR All Hands
Vivien Bonazzi
 
Chestnut II Stonebridge
Chestnut II StonebridgeChestnut II Stonebridge
Chestnut II Stonebridge
lrollins_DRB
 
How to Close Period in Oracle Apps Inventory
How to Close Period in Oracle Apps Inventory How to Close Period in Oracle Apps Inventory
How to Close Period in Oracle Apps Inventory
Bizinsight Consulting Inc
 
Filing and record keeping
Filing and record keepingFiling and record keeping
Filing and record keeping
mahamed_11
 
Effective Records Management Introduction
Effective Records Management IntroductionEffective Records Management Introduction
Effective Records Management Introduction
Fe Angela Verzosa
 
10 things HR transformation
10 things HR transformation 10 things HR transformation
10 things HR transformation
Rob Scott
 
Orthographic Projection
Orthographic ProjectionOrthographic Projection
Orthographic Projection
Presario Nyioq
 
HIPAA | HIPAA Training
HIPAA | HIPAA TrainingHIPAA | HIPAA Training
HIPAA | HIPAA Training
himalya sharma
 
HIPAA | HIPAA Training
HIPAA | HIPAA TrainingHIPAA | HIPAA Training
HIPAA | HIPAA Training
himalya sharma
 
2014 updated editable hipaa hitech policy and procedures
2014 updated editable hipaa hitech policy and procedures2014 updated editable hipaa hitech policy and procedures
2014 updated editable hipaa hitech policy and procedures
Charles McNeil
 
The Challenges of Implementing HIPAA Certification in USA
The Challenges of Implementing HIPAA Certification in USAThe Challenges of Implementing HIPAA Certification in USA
The Challenges of Implementing HIPAA Certification in USA
ShyamMishra72
 
Policies, Procedures and Productivity (Series: Protecting Your Employee Asset...
Policies, Procedures and Productivity (Series: Protecting Your Employee Asset...Policies, Procedures and Productivity (Series: Protecting Your Employee Asset...
Policies, Procedures and Productivity (Series: Protecting Your Employee Asset...
Financial Poise
 
An Ounce of Prevention: Policies, Procedures and Proactivity (Series: Protec...
An Ounce of Prevention: Policies, Procedures and Proactivity (Series: Protec... An Ounce of Prevention: Policies, Procedures and Proactivity (Series: Protec...
An Ounce of Prevention: Policies, Procedures and Proactivity (Series: Protec...
Financial Poise
 
Compliance Overview - HIPAA Compliance Reviews - Audit Protocol
Compliance Overview - HIPAA Compliance Reviews - Audit ProtocolCompliance Overview - HIPAA Compliance Reviews - Audit Protocol
Compliance Overview - HIPAA Compliance Reviews - Audit Protocol
ntoscano50
 
Confidentiality in the healthcare system
Confidentiality in the healthcare systemConfidentiality in the healthcare system
Confidentiality in the healthcare system
pfor2012
 
Cybersecurity in Health Care Sector: HIPAA Responsibilities from a Legal and ...
Cybersecurity in Health Care Sector: HIPAA Responsibilities from a Legal and ...Cybersecurity in Health Care Sector: HIPAA Responsibilities from a Legal and ...
Cybersecurity in Health Care Sector: HIPAA Responsibilities from a Legal and ...
Tracie Thompson
 
C427 Technology Applications in Healthcare Performance Assessment.docx
C427 Technology Applications in Healthcare Performance Assessment.docxC427 Technology Applications in Healthcare Performance Assessment.docx
C427 Technology Applications in Healthcare Performance Assessment.docx
write22
 
C427 Technology Applications in Healthcare Performance Assessment.docx
C427 Technology Applications in Healthcare Performance Assessment.docxC427 Technology Applications in Healthcare Performance Assessment.docx
C427 Technology Applications in Healthcare Performance Assessment.docx
write31
 
Hipaa compliance for small healthcare providers
Hipaa compliance for small healthcare providersHipaa compliance for small healthcare providers
Hipaa compliance for small healthcare providers
GlobalCompliancePanel
 
Achieving HIPAA Compliance: The Roadmap to Certification Success
Achieving HIPAA Compliance: The Roadmap to Certification SuccessAchieving HIPAA Compliance: The Roadmap to Certification Success
Achieving HIPAA Compliance: The Roadmap to Certification Success
ShyamMishra72
 
The Ultimate Guide to HIPAA Training Course Online Everything You Need to Kno...
The Ultimate Guide to HIPAA Training Course Online Everything You Need to Kno...The Ultimate Guide to HIPAA Training Course Online Everything You Need to Kno...
The Ultimate Guide to HIPAA Training Course Online Everything You Need to Kno...
Learn2Prevent
 
An Ounce of Prevention: Policies, Procedures and Proactivity
An Ounce of Prevention: Policies, Procedures and ProactivityAn Ounce of Prevention: Policies, Procedures and Proactivity
An Ounce of Prevention: Policies, Procedures and Proactivity
Financial Poise
 
HIPAA Compliance Requirements for Business Associates
HIPAA Compliance Requirements for Business AssociatesHIPAA Compliance Requirements for Business Associates
HIPAA Compliance Requirements for Business Associates
GlobalCompliancePanel
 
Jeanette Rankins Patient Privacy Training
Jeanette Rankins Patient Privacy TrainingJeanette Rankins Patient Privacy Training
Jeanette Rankins Patient Privacy Training
JeanetteRankins
 
hipaa compliance requirements for business associates
hipaa compliance requirements for business associateshipaa compliance requirements for business associates
hipaa compliance requirements for business associates
GlobalCompliancePanel
 
CLE-Unit-III.ppt
CLE-Unit-III.pptCLE-Unit-III.ppt
CLE-Unit-III.ppt
20214Mohan
 
Hipaa Compliance Training.docx
Hipaa Compliance Training.docxHipaa Compliance Training.docx
Hipaa Compliance Training.docx
emPower eLearning
 
💞 Safe And Secure Call Girls Prayagraj 🧿 9332606886 🧿 High Class Call Girl Se...
💞 Safe And Secure Call Girls Prayagraj 🧿 9332606886 🧿 High Class Call Girl Se...💞 Safe And Secure Call Girls Prayagraj 🧿 9332606886 🧿 High Class Call Girl Se...
💞 Safe And Secure Call Girls Prayagraj 🧿 9332606886 🧿 High Class Call Girl Se...
India Call Girls
 
Erotic Call Girls Bangalore {7304373326} ❤️VVIP SIYA Call Girls in Bangalore ...
Erotic Call Girls Bangalore {7304373326} ❤️VVIP SIYA Call Girls in Bangalore ...Erotic Call Girls Bangalore {7304373326} ❤️VVIP SIYA Call Girls in Bangalore ...
Erotic Call Girls Bangalore {7304373326} ❤️VVIP SIYA Call Girls in Bangalore ...
Sheetaleventcompany
 

More Related Content

Similar to Training Your Business Associate Workforce: Understanding Obligations and Risk Exposure

2014 updated editable hipaa hitech policy and procedures
2014 updated editable hipaa hitech policy and procedures2014 updated editable hipaa hitech policy and procedures
2014 updated editable hipaa hitech policy and procedures
Charles McNeil
 
Policies, Procedures and Productivity (Series: Protecting Your Employee Asset...
Policies, Procedures and Productivity (Series: Protecting Your Employee Asset...Policies, Procedures and Productivity (Series: Protecting Your Employee Asset...
Policies, Procedures and Productivity (Series: Protecting Your Employee Asset...
Financial Poise
 
An Ounce of Prevention: Policies, Procedures and Proactivity (Series: Protec...
An Ounce of Prevention: Policies, Procedures and Proactivity (Series: Protec... An Ounce of Prevention: Policies, Procedures and Proactivity (Series: Protec...
An Ounce of Prevention: Policies, Procedures and Proactivity (Series: Protec...
Financial Poise
 
Confidentiality in the healthcare system
Confidentiality in the healthcare systemConfidentiality in the healthcare system
Confidentiality in the healthcare system
pfor2012
 
Cybersecurity in Health Care Sector: HIPAA Responsibilities from a Legal and ...
Cybersecurity in Health Care Sector: HIPAA Responsibilities from a Legal and ...Cybersecurity in Health Care Sector: HIPAA Responsibilities from a Legal and ...
Cybersecurity in Health Care Sector: HIPAA Responsibilities from a Legal and ...
Tracie Thompson
 
C427 Technology Applications in Healthcare Performance Assessment.docx
C427 Technology Applications in Healthcare Performance Assessment.docxC427 Technology Applications in Healthcare Performance Assessment.docx
C427 Technology Applications in Healthcare Performance Assessment.docx
write22
 
C427 Technology Applications in Healthcare Performance Assessment.docx
C427 Technology Applications in Healthcare Performance Assessment.docxC427 Technology Applications in Healthcare Performance Assessment.docx
C427 Technology Applications in Healthcare Performance Assessment.docx
write31
 
An Ounce of Prevention: Policies, Procedures and Proactivity
An Ounce of Prevention: Policies, Procedures and ProactivityAn Ounce of Prevention: Policies, Procedures and Proactivity
An Ounce of Prevention: Policies, Procedures and Proactivity
Financial Poise
 

Similar to Training Your Business Associate Workforce: Understanding Obligations and Risk Exposure (20)

HIPAA | HIPAA Training
HIPAA | HIPAA TrainingHIPAA | HIPAA Training
HIPAA | HIPAA Training
 
HIPAA | HIPAA Training
HIPAA | HIPAA TrainingHIPAA | HIPAA Training
HIPAA | HIPAA Training
 
2014 updated editable hipaa hitech policy and procedures
2014 updated editable hipaa hitech policy and procedures2014 updated editable hipaa hitech policy and procedures
2014 updated editable hipaa hitech policy and procedures
 
The Challenges of Implementing HIPAA Certification in USA
The Challenges of Implementing HIPAA Certification in USAThe Challenges of Implementing HIPAA Certification in USA
The Challenges of Implementing HIPAA Certification in USA
 
Policies, Procedures and Productivity (Series: Protecting Your Employee Asset...
Policies, Procedures and Productivity (Series: Protecting Your Employee Asset...Policies, Procedures and Productivity (Series: Protecting Your Employee Asset...
Policies, Procedures and Productivity (Series: Protecting Your Employee Asset...
 
An Ounce of Prevention: Policies, Procedures and Proactivity (Series: Protec...
An Ounce of Prevention: Policies, Procedures and Proactivity (Series: Protec... An Ounce of Prevention: Policies, Procedures and Proactivity (Series: Protec...
An Ounce of Prevention: Policies, Procedures and Proactivity (Series: Protec...
 
Compliance Overview - HIPAA Compliance Reviews - Audit Protocol
Compliance Overview - HIPAA Compliance Reviews - Audit ProtocolCompliance Overview - HIPAA Compliance Reviews - Audit Protocol
Compliance Overview - HIPAA Compliance Reviews - Audit Protocol
 
Confidentiality in the healthcare system
Confidentiality in the healthcare systemConfidentiality in the healthcare system
Confidentiality in the healthcare system
 
Cybersecurity in Health Care Sector: HIPAA Responsibilities from a Legal and ...
Cybersecurity in Health Care Sector: HIPAA Responsibilities from a Legal and ...Cybersecurity in Health Care Sector: HIPAA Responsibilities from a Legal and ...
Cybersecurity in Health Care Sector: HIPAA Responsibilities from a Legal and ...
 
C427 Technology Applications in Healthcare Performance Assessment.docx
C427 Technology Applications in Healthcare Performance Assessment.docxC427 Technology Applications in Healthcare Performance Assessment.docx
C427 Technology Applications in Healthcare Performance Assessment.docx
 
C427 Technology Applications in Healthcare Performance Assessment.docx
C427 Technology Applications in Healthcare Performance Assessment.docxC427 Technology Applications in Healthcare Performance Assessment.docx
C427 Technology Applications in Healthcare Performance Assessment.docx
 
Hipaa compliance for small healthcare providers
Hipaa compliance for small healthcare providersHipaa compliance for small healthcare providers
Hipaa compliance for small healthcare providers
 
Achieving HIPAA Compliance: The Roadmap to Certification Success
Achieving HIPAA Compliance: The Roadmap to Certification SuccessAchieving HIPAA Compliance: The Roadmap to Certification Success
Achieving HIPAA Compliance: The Roadmap to Certification Success
 
The Ultimate Guide to HIPAA Training Course Online Everything You Need to Kno...
The Ultimate Guide to HIPAA Training Course Online Everything You Need to Kno...The Ultimate Guide to HIPAA Training Course Online Everything You Need to Kno...
The Ultimate Guide to HIPAA Training Course Online Everything You Need to Kno...
 
An Ounce of Prevention: Policies, Procedures and Proactivity
An Ounce of Prevention: Policies, Procedures and ProactivityAn Ounce of Prevention: Policies, Procedures and Proactivity
An Ounce of Prevention: Policies, Procedures and Proactivity
 
HIPAA Compliance Requirements for Business Associates
HIPAA Compliance Requirements for Business AssociatesHIPAA Compliance Requirements for Business Associates
HIPAA Compliance Requirements for Business Associates
 
Jeanette Rankins Patient Privacy Training
Jeanette Rankins Patient Privacy TrainingJeanette Rankins Patient Privacy Training
Jeanette Rankins Patient Privacy Training
 
hipaa compliance requirements for business associates
hipaa compliance requirements for business associateshipaa compliance requirements for business associates
hipaa compliance requirements for business associates
 
CLE-Unit-III.ppt
CLE-Unit-III.pptCLE-Unit-III.ppt
CLE-Unit-III.ppt
 
Hipaa Compliance Training.docx
Hipaa Compliance Training.docxHipaa Compliance Training.docx
Hipaa Compliance Training.docx
 

Recently uploaded

💞 Safe And Secure Call Girls Prayagraj 🧿 9332606886 🧿 High Class Call Girl Se...
💞 Safe And Secure Call Girls Prayagraj 🧿 9332606886 🧿 High Class Call Girl Se...💞 Safe And Secure Call Girls Prayagraj 🧿 9332606886 🧿 High Class Call Girl Se...
💞 Safe And Secure Call Girls Prayagraj 🧿 9332606886 🧿 High Class Call Girl Se...
India Call Girls
 
Erotic Call Girls Bangalore {7304373326} ❤️VVIP SIYA Call Girls in Bangalore ...
Erotic Call Girls Bangalore {7304373326} ❤️VVIP SIYA Call Girls in Bangalore ...Erotic Call Girls Bangalore {7304373326} ❤️VVIP SIYA Call Girls in Bangalore ...
Erotic Call Girls Bangalore {7304373326} ❤️VVIP SIYA Call Girls in Bangalore ...
Sheetaleventcompany
 
Low Rate Call Girls Nagpur {9xx000xx09} ❤️VVIP NISHA Call Girls in Nagpur Mah...
Low Rate Call Girls Nagpur {9xx000xx09} ❤️VVIP NISHA Call Girls in Nagpur Mah...Low Rate Call Girls Nagpur {9xx000xx09} ❤️VVIP NISHA Call Girls in Nagpur Mah...
Low Rate Call Girls Nagpur {9xx000xx09} ❤️VVIP NISHA Call Girls in Nagpur Mah...
Sheetaleventcompany
 
Delhi Call Girl Service 📞8650700400📞Just Call Divya📲 Call Girl In Delhi No💰Ad...
Delhi Call Girl Service 📞8650700400📞Just Call Divya📲 Call Girl In Delhi No💰Ad...Delhi Call Girl Service 📞8650700400📞Just Call Divya📲 Call Girl In Delhi No💰Ad...
Delhi Call Girl Service 📞8650700400📞Just Call Divya📲 Call Girl In Delhi No💰Ad...
Sheetaleventcompany
 
❤️Call Girl In Chandigarh☎️9814379184☎️ Call Girl service in Chandigarh☎️ Cha...
❤️Call Girl In Chandigarh☎️9814379184☎️ Call Girl service in Chandigarh☎️ Cha...❤️Call Girl In Chandigarh☎️9814379184☎️ Call Girl service in Chandigarh☎️ Cha...
❤️Call Girl In Chandigarh☎️9814379184☎️ Call Girl service in Chandigarh☎️ Cha...
Sheetaleventcompany
 
Call Girl In Indore 📞9235973566📞Just Call Inaaya📲 Call Girls Service In Indor...
Call Girl In Indore 📞9235973566📞Just Call Inaaya📲 Call Girls Service In Indor...Call Girl In Indore 📞9235973566📞Just Call Inaaya📲 Call Girls Service In Indor...
Call Girl In Indore 📞9235973566📞Just Call Inaaya📲 Call Girls Service In Indor...
Sheetaleventcompany
 
Low Rate Call Girls Udaipur {9xx000xx09} ❤️VVIP NISHA CCall Girls in Udaipur ...
Low Rate Call Girls Udaipur {9xx000xx09} ❤️VVIP NISHA CCall Girls in Udaipur ...Low Rate Call Girls Udaipur {9xx000xx09} ❤️VVIP NISHA CCall Girls in Udaipur ...
Low Rate Call Girls Udaipur {9xx000xx09} ❤️VVIP NISHA CCall Girls in Udaipur ...
Sheetaleventcompany
 
Independent Call Girls Bangalore {7304373326} ❤️VVIP POOJA Call Girls in Bang...
Independent Call Girls Bangalore {7304373326} ❤️VVIP POOJA Call Girls in Bang...Independent Call Girls Bangalore {7304373326} ❤️VVIP POOJA Call Girls in Bang...
Independent Call Girls Bangalore {7304373326} ❤️VVIP POOJA Call Girls in Bang...
Sheetaleventcompany
 
❤️Chandigarh Escort Service☎️9814379184☎️ Call Girl service in Chandigarh☎️ C...
❤️Chandigarh Escort Service☎️9814379184☎️ Call Girl service in Chandigarh☎️ C...❤️Chandigarh Escort Service☎️9814379184☎️ Call Girl service in Chandigarh☎️ C...
❤️Chandigarh Escort Service☎️9814379184☎️ Call Girl service in Chandigarh☎️ C...
Sheetaleventcompany
 
💞 Safe And Secure Call Girls gaya 🧿 9332606886 🧿 High Class Call Girl Service...
💞 Safe And Secure Call Girls gaya 🧿 9332606886 🧿 High Class Call Girl Service...💞 Safe And Secure Call Girls gaya 🧿 9332606886 🧿 High Class Call Girl Service...
💞 Safe And Secure Call Girls gaya 🧿 9332606886 🧿 High Class Call Girl Service...
India Call Girls
 
💚Chandigarh Call Girls Service 💯Jiya 📲🔝8868886958🔝Call Girls In Chandigarh No...
💚Chandigarh Call Girls Service 💯Jiya 📲🔝8868886958🔝Call Girls In Chandigarh No...💚Chandigarh Call Girls Service 💯Jiya 📲🔝8868886958🔝Call Girls In Chandigarh No...
💚Chandigarh Call Girls Service 💯Jiya 📲🔝8868886958🔝Call Girls In Chandigarh No...
Sheetaleventcompany
 
💸Cash Payment No Advance Call Girls Bhopal 🧿 9332606886 🧿 High Class Call Gir...
💸Cash Payment No Advance Call Girls Bhopal 🧿 9332606886 🧿 High Class Call Gir...💸Cash Payment No Advance Call Girls Bhopal 🧿 9332606886 🧿 High Class Call Gir...
💸Cash Payment No Advance Call Girls Bhopal 🧿 9332606886 🧿 High Class Call Gir...
India Call Girls
 
❤️ Zirakpur Call Girl Service ☎️9878799926☎️ Call Girl service in Zirakpur ☎...
❤️ Zirakpur Call Girl Service ☎️9878799926☎️ Call Girl service in Zirakpur ☎...❤️ Zirakpur Call Girl Service ☎️9878799926☎️ Call Girl service in Zirakpur ☎...
❤️ Zirakpur Call Girl Service ☎️9878799926☎️ Call Girl service in Zirakpur ☎...
daljeetkaur2026
 
The Events of Cardiac Cycle - Wigger's Diagram
The Events of Cardiac Cycle - Wigger's DiagramThe Events of Cardiac Cycle - Wigger's Diagram
The Events of Cardiac Cycle - Wigger's Diagram
MedicoseAcademics
 
💸Cash Payment No Advance Call Girls Kanpur 🧿 9332606886 🧿 High Class Call Gir...
💸Cash Payment No Advance Call Girls Kanpur 🧿 9332606886 🧿 High Class Call Gir...💸Cash Payment No Advance Call Girls Kanpur 🧿 9332606886 🧿 High Class Call Gir...
💸Cash Payment No Advance Call Girls Kanpur 🧿 9332606886 🧿 High Class Call Gir...
India Call Girls
 
Call Now ☎ 8868886958 || Call Girls in Chandigarh Escort Service Chandigarh
Call Now ☎ 8868886958 || Call Girls in Chandigarh Escort Service ChandigarhCall Now ☎ 8868886958 || Call Girls in Chandigarh Escort Service Chandigarh
Call Now ☎ 8868886958 || Call Girls in Chandigarh Escort Service Chandigarh
Sheetaleventcompany
 
❤️Chandigarh Escorts Service☎️9815457724☎️ Call Girl service in Chandigarh☎️ ...
❤️Chandigarh Escorts Service☎️9815457724☎️ Call Girl service in Chandigarh☎️ ...❤️Chandigarh Escorts Service☎️9815457724☎️ Call Girl service in Chandigarh☎️ ...
❤️Chandigarh Escorts Service☎️9815457724☎️ Call Girl service in Chandigarh☎️ ...
Rashmi Entertainment
 
science quiz bee questions.doc FOR ELEMENTARY SCIENCE
science quiz bee questions.doc FOR ELEMENTARY SCIENCEscience quiz bee questions.doc FOR ELEMENTARY SCIENCE
science quiz bee questions.doc FOR ELEMENTARY SCIENCE
maricelsampaga
 
💸Cash Payment No Advance Call Girls Hyderabad 🧿 9332606886 🧿 High Class Call ...
💸Cash Payment No Advance Call Girls Hyderabad 🧿 9332606886 🧿 High Class Call ...💸Cash Payment No Advance Call Girls Hyderabad 🧿 9332606886 🧿 High Class Call ...
💸Cash Payment No Advance Call Girls Hyderabad 🧿 9332606886 🧿 High Class Call ...
India Call Girls
 

Recently uploaded (20)

💞 Safe And Secure Call Girls Prayagraj 🧿 9332606886 🧿 High Class Call Girl Se...
💞 Safe And Secure Call Girls Prayagraj 🧿 9332606886 🧿 High Class Call Girl Se...💞 Safe And Secure Call Girls Prayagraj 🧿 9332606886 🧿 High Class Call Girl Se...
💞 Safe And Secure Call Girls Prayagraj 🧿 9332606886 🧿 High Class Call Girl Se...
 
Erotic Call Girls Bangalore {7304373326} ❤️VVIP SIYA Call Girls in Bangalore ...
Erotic Call Girls Bangalore {7304373326} ❤️VVIP SIYA Call Girls in Bangalore ...Erotic Call Girls Bangalore {7304373326} ❤️VVIP SIYA Call Girls in Bangalore ...
Erotic Call Girls Bangalore {7304373326} ❤️VVIP SIYA Call Girls in Bangalore ...
 
Low Rate Call Girls Nagpur {9xx000xx09} ❤️VVIP NISHA Call Girls in Nagpur Mah...
Low Rate Call Girls Nagpur {9xx000xx09} ❤️VVIP NISHA Call Girls in Nagpur Mah...Low Rate Call Girls Nagpur {9xx000xx09} ❤️VVIP NISHA Call Girls in Nagpur Mah...
Low Rate Call Girls Nagpur {9xx000xx09} ❤️VVIP NISHA Call Girls in Nagpur Mah...
 
Delhi Call Girl Service 📞8650700400📞Just Call Divya📲 Call Girl In Delhi No💰Ad...
Delhi Call Girl Service 📞8650700400📞Just Call Divya📲 Call Girl In Delhi No💰Ad...Delhi Call Girl Service 📞8650700400📞Just Call Divya📲 Call Girl In Delhi No💰Ad...
Delhi Call Girl Service 📞8650700400📞Just Call Divya📲 Call Girl In Delhi No💰Ad...
 
❤️Call Girl In Chandigarh☎️9814379184☎️ Call Girl service in Chandigarh☎️ Cha...
❤️Call Girl In Chandigarh☎️9814379184☎️ Call Girl service in Chandigarh☎️ Cha...❤️Call Girl In Chandigarh☎️9814379184☎️ Call Girl service in Chandigarh☎️ Cha...
❤️Call Girl In Chandigarh☎️9814379184☎️ Call Girl service in Chandigarh☎️ Cha...
 
2024 PCP #IMPerative Updates in Rheumatology
2024 PCP #IMPerative Updates in Rheumatology2024 PCP #IMPerative Updates in Rheumatology
2024 PCP #IMPerative Updates in Rheumatology
 
Call Girl In Indore 📞9235973566📞Just Call Inaaya📲 Call Girls Service In Indor...
Call Girl In Indore 📞9235973566📞Just Call Inaaya📲 Call Girls Service In Indor...Call Girl In Indore 📞9235973566📞Just Call Inaaya📲 Call Girls Service In Indor...
Call Girl In Indore 📞9235973566📞Just Call Inaaya📲 Call Girls Service In Indor...
 
Low Rate Call Girls Udaipur {9xx000xx09} ❤️VVIP NISHA CCall Girls in Udaipur ...
Low Rate Call Girls Udaipur {9xx000xx09} ❤️VVIP NISHA CCall Girls in Udaipur ...Low Rate Call Girls Udaipur {9xx000xx09} ❤️VVIP NISHA CCall Girls in Udaipur ...
Low Rate Call Girls Udaipur {9xx000xx09} ❤️VVIP NISHA CCall Girls in Udaipur ...
 
Independent Call Girls Bangalore {7304373326} ❤️VVIP POOJA Call Girls in Bang...
Independent Call Girls Bangalore {7304373326} ❤️VVIP POOJA Call Girls in Bang...Independent Call Girls Bangalore {7304373326} ❤️VVIP POOJA Call Girls in Bang...
Independent Call Girls Bangalore {7304373326} ❤️VVIP POOJA Call Girls in Bang...
 
❤️Chandigarh Escort Service☎️9814379184☎️ Call Girl service in Chandigarh☎️ C...
❤️Chandigarh Escort Service☎️9814379184☎️ Call Girl service in Chandigarh☎️ C...❤️Chandigarh Escort Service☎️9814379184☎️ Call Girl service in Chandigarh☎️ C...
❤️Chandigarh Escort Service☎️9814379184☎️ Call Girl service in Chandigarh☎️ C...
 
💞 Safe And Secure Call Girls gaya 🧿 9332606886 🧿 High Class Call Girl Service...
💞 Safe And Secure Call Girls gaya 🧿 9332606886 🧿 High Class Call Girl Service...💞 Safe And Secure Call Girls gaya 🧿 9332606886 🧿 High Class Call Girl Service...
💞 Safe And Secure Call Girls gaya 🧿 9332606886 🧿 High Class Call Girl Service...
 
💚Chandigarh Call Girls Service 💯Jiya 📲🔝8868886958🔝Call Girls In Chandigarh No...
💚Chandigarh Call Girls Service 💯Jiya 📲🔝8868886958🔝Call Girls In Chandigarh No...💚Chandigarh Call Girls Service 💯Jiya 📲🔝8868886958🔝Call Girls In Chandigarh No...
💚Chandigarh Call Girls Service 💯Jiya 📲🔝8868886958🔝Call Girls In Chandigarh No...
 
💸Cash Payment No Advance Call Girls Bhopal 🧿 9332606886 🧿 High Class Call Gir...
💸Cash Payment No Advance Call Girls Bhopal 🧿 9332606886 🧿 High Class Call Gir...💸Cash Payment No Advance Call Girls Bhopal 🧿 9332606886 🧿 High Class Call Gir...
💸Cash Payment No Advance Call Girls Bhopal 🧿 9332606886 🧿 High Class Call Gir...
 
❤️ Zirakpur Call Girl Service ☎️9878799926☎️ Call Girl service in Zirakpur ☎...
❤️ Zirakpur Call Girl Service ☎️9878799926☎️ Call Girl service in Zirakpur ☎...❤️ Zirakpur Call Girl Service ☎️9878799926☎️ Call Girl service in Zirakpur ☎...
❤️ Zirakpur Call Girl Service ☎️9878799926☎️ Call Girl service in Zirakpur ☎...
 
The Events of Cardiac Cycle - Wigger's Diagram
The Events of Cardiac Cycle - Wigger's DiagramThe Events of Cardiac Cycle - Wigger's Diagram
The Events of Cardiac Cycle - Wigger's Diagram
 
💸Cash Payment No Advance Call Girls Kanpur 🧿 9332606886 🧿 High Class Call Gir...
💸Cash Payment No Advance Call Girls Kanpur 🧿 9332606886 🧿 High Class Call Gir...💸Cash Payment No Advance Call Girls Kanpur 🧿 9332606886 🧿 High Class Call Gir...
💸Cash Payment No Advance Call Girls Kanpur 🧿 9332606886 🧿 High Class Call Gir...
 
Call Now ☎ 8868886958 || Call Girls in Chandigarh Escort Service Chandigarh
Call Now ☎ 8868886958 || Call Girls in Chandigarh Escort Service ChandigarhCall Now ☎ 8868886958 || Call Girls in Chandigarh Escort Service Chandigarh
Call Now ☎ 8868886958 || Call Girls in Chandigarh Escort Service Chandigarh
 
❤️Chandigarh Escorts Service☎️9815457724☎️ Call Girl service in Chandigarh☎️ ...
❤️Chandigarh Escorts Service☎️9815457724☎️ Call Girl service in Chandigarh☎️ ...❤️Chandigarh Escorts Service☎️9815457724☎️ Call Girl service in Chandigarh☎️ ...
❤️Chandigarh Escorts Service☎️9815457724☎️ Call Girl service in Chandigarh☎️ ...
 
science quiz bee questions.doc FOR ELEMENTARY SCIENCE
science quiz bee questions.doc FOR ELEMENTARY SCIENCEscience quiz bee questions.doc FOR ELEMENTARY SCIENCE
science quiz bee questions.doc FOR ELEMENTARY SCIENCE
 
💸Cash Payment No Advance Call Girls Hyderabad 🧿 9332606886 🧿 High Class Call ...
💸Cash Payment No Advance Call Girls Hyderabad 🧿 9332606886 🧿 High Class Call ...💸Cash Payment No Advance Call Girls Hyderabad 🧿 9332606886 🧿 High Class Call ...
💸Cash Payment No Advance Call Girls Hyderabad 🧿 9332606886 🧿 High Class Call ...
 

Training Your Business Associate Workforce: Understanding Obligations and Risk Exposure

  • 1. Training Your BA Workforce: Understanding Obligations and Risk Exposure June 26, 2014 Phyllis A. Patrick, MBA, FACHE,CISM, CHC Robert J. Michalsky, CISSP, CSSLP
  • 2. Session Topics • Training and Awareness Requirements: HIPAA Security and Privacy Rules • Key Components of Effective Security and Privacy Awareness Programs • Breach Cases: Developing Strategies to Use Training and Awareness Programs to Minimize Risk Exposure 2 Understanding HIPAA Omnibus Obligations of Business Associates
  • 3. Training and Awareness Requirements Understanding HIPAA Omnibus Obligations of Business Associates 3
  • 4. Legislative History and BA Obligations 1996 2005 20092003 20132010 BAs required to comply with interim final breach notification rule (9/23/09); BAs liable for certain privacy and security requirements under HITECH (2/18/10). Understanding HIPAA Omnibus Obligations of Business Associates 4
  • 5. The Omnibus (Final) Rule • Most significant change in the four Rules (privacy, security, breach, enforcement) is the impact on Business Associates. • BAs have had contractual obligations to comply with HIPAA Privacy Rule (2003) and Security Rule (2005). • HITECH  BAs subject to statutory penalties for failure to comply with the HIPAA Privacy, Security, and Breach Notification Rules (45 CFR Parts 160 and 164, subpart E; 45 CFR parts 160 and 164, subpart C; 45 CFR parts 160 and 164, subpart D). • HITECH implementing regs proposed including subcontractors in definition of BA. • BAs now subject to legal obligations and enforcement risk. Understanding HIPAA Omnibus Obligations of Business Associates 5
  • 6. Who are sub-contractors? • “Sub-contractor” includes those acting on behalf of a sub-contractor. • HIPAA requirements apply all the way down the sub- contracting chain as far as the PHI flows. • Covered Entities must ensure that they obtain satisfactory assurances (in the form of a BAA) from their Business Associates, and Business Associates must do the same with regard to Sub-contractors, and so on, no matter how far down the chain the PHI flows. • Both the contractor and all of sub-contractors are Business Associates under the Final Rule to the extent they create, receive, maintain, or transmit PHI. Understanding HIPAA Omnibus Obligations of Business Associates 6
  • 7. Sub-contractor Issues • Sub-contractors must understand their responsibilities re. HIPAA compliance  who communicates this information to the sub-contractor and how? What is included in the contract and/or the BAA to codify this? • Business Associates must enter into agreements with their sub-contractors that include the same terms that have always been required for Business Associate Agreements. Understanding HIPAA Omnibus Obligations of Business Associates 7
  • 8. Sub-contractor Issues (Cont’d) • Challenge: HHS does not address the difficulty that companies handling information might face if they never know that they are a Subcontractor handling PHI. • Service providers handling identifiable should consider seeking representations and warranties from their customers that such customers are not Business Associates under HIPAA. • Subcontractors must take care to include appropriate privacy and security language in their agreements where they are sharing PHI with vendors and suppliers. Understanding HIPAA Omnibus Obligations of Business Associates 8
  • 9. HIPAA Security Rule • Covered entities (and business associates) must “Implement a security awareness and training program for all members of its workforce (including management).” CFR 164.308(a)(5)(i) • Implementation Specifications include:  Security Reminders – “Periodic security updates”  Protection from Malicious Software – “Procedures for guarding against, detecting, and reporting malicious software”  Log-in Monitoring – “Procedures for monitoring log-in attempts and reporting discrepancies”  Password Management – “Procedures for creating, changing, and safeguarding passwords.” CFR 143.308(a)(5)(ii)(A), (B),(C ), and (D) Understanding HIPAA Omnibus Obligations of Business Associates 9
  • 10. Training & Awareness Requirements • Security training required for all new and existing members of the covered entity’s (and business associate’s and sub-contractor’s) workforce • Periodic retraining should be given whenever environmental or operational changes affect security of ePHI. • Changes may include:  new or updated policies and procedures; new or upgraded software or hardware;  new security technology; or  changes in the Security Rule. Understanding HIPAA Omnibus Obligations of Business Associates 10
  • 11. Security Awareness Training Documentation • Covered entities (and BAs and sub-contractors) must document the security reminders they implement. Documentation: include type of reminder, message, date of implementation. • Examples:  Notices (electronic or printed)  Agenda Items and Discussion Topics (Monthly Meetings)  Postings/focused reminders  Formal re-training on policies and procedures • Consider if practices are reasonable and appropriate. • Determine if other forms of security reminders are needed. Understanding HIPAA Omnibus Obligations of Business Associates 11
  • 12. Security awareness training must be ongoing…. • Workforce must be trained regarding its role in protecting against malicious software and system protection capabilities. • Training must be ongoing for all organizations. • Workforce must be aware of log-in attempts that are not appropriate. • Workforce must be trained in how to safeguard password information, including guidelines for creating passwords and changing them during periodic change cycles. Understanding HIPAA Omnibus Obligations of Business Associates 12
  • 13. HIPAA Privacy Rule • Workforce Training and Management  Workforce members include employees, volunteers, trainees, and may also include other persons whose conduct is under the direct control of the entity (whether or not they are paid by the entity). 45 CFR 160.103 • A covered entity must train all workforce members on its privacy policies and procedures, as necessary and appropriate for them to carry out their functions. 45 CFR 164.530(b) • A covered entity must have and apply appropriate sanctions against workforce members who violate its privacy policies and procedures or the Privacy Rule. 45 CFR 164.530(e) Understanding HIPAA Omnibus Obligations of Business Associates 13
  • 14. Privacy Rule Training Requirements • Requires training so that workforce members understand the privacy procedures. • Training may be scaled to the type of organization and size of workforce. • Privacy training must be provided to all workforce members, as necessary and appropriate to their functions. • Rule does not specify how often training should be conducted or specific content. • Suggest that training include Minimum Necessary standard and requirements (45 CFR 164.502(b), 164.514(d)) • Training must be documented. Understanding HIPAA Omnibus Obligations of Business Associates 14
  • 15. Interrelationships: Privacy and Security Rules • Security requirements include a set of tools for ensuring compliance with the Privacy Rule as well as the Security Rule. • The Security Rule provides detailed requirements, which protect only ePHI. • The Privacy Rule safeguards provision, 45 CFR § 164.530(c), is more general and protects the privacy of all PHI, not just ePHI. • Both Rules require covered entities (and BAs) to:  Implement policies  Ensure accountability for compliance  Limit access to PHI  Conduct workforce training  Safeguard PHI Understanding HIPAA Omnibus Obligations of Business Associates 15
  • 16. Effective Privacy and Security Awareness Training Programs Understanding HIPAA Omnibus Obligations of Business Associates 16
  • 17. Key Components of Effective Training Programs • Engage the workforce. • Make training interesting. • Use Scenario-based training modules  lessons learned. • Apply headline and prominent cases to the organization’s work environment. Include cases where BAs have been involved in data breaches. • Establish a mix of media and teaching approaches. • Training should emphasize security and privacy requirements of all laws that apply to the organization. HIPAA is just one. Understanding HIPAA Omnibus Obligations of Business Associates 17
  • 18. Key Components (Cont’d) • Make training personal – how do these concepts fit with employees’ life outside work? Make it relevant to protecting employees’ confidential information. • Include everyone from senior leaders to front-line staff. • Train in small doses and train often. • Select key themes and develop a mix of awareness materials to emphasize and reinforce key concepts, and help employees to know what to do in cases of possible data breaches or other situations which can harm confidential material. • Cover contemporary threats. Understanding HIPAA Omnibus Obligations of Business Associates 18
  • 19. Key Components (Cont’d) • Test knowledge, not just after the training module, but later…. • Include good behaviors that protect the individual’s privacy and that of the organization. • Provide links to resources for those who want to go further. • Train on policies. Make sure policies are easily accessed and employees know where they are. • Be sure to include contractors and sub-contractors in training programs. • Document training for all workforce members. Remember: Employees may be the weak link in your security. Understanding HIPAA Omnibus Obligations of Business Associates 19
  • 20. Understanding HIPAA Omnibus Obligations of Business Associates 20  Consulting consortium providing strategic planning, information security, and privacy services to the healthcare industry and business associates.  Practical approach to information security and privacy program development and enhancement based on consultants’ experiences as senior executives in healthcare organizations.  Expertise in information security and privacy program development, technical security, legal services, hospital management, healthcare operations, compliance, information technology, disaster recovery and business continuity, cyber security, health information management, hospital and commercial clinical laboratory operations, physician practice development, government sector, medicine, pharmaceutical compliance, health information exchange.  Working relationships with industry leaders and government agencies, including CMS and OCR. Successful work history with regulators. SECURITY | PRIVACY | CULTURE
  • 21. USING DATA BREACHES TO RAISE AWARENESS Security Incident An event that compromise the Confidentiality, Integrity, Availability (CIA) of PHI 21 Breach An incident that results in the disclosure or potential exposure of data Data disclosure A breach for which it was confirmed that data was actually disclosed (not just exposed) to an unauthorized party Understanding HIPAA Omnibus Obligations of Business Associates HIPAA Breach “The acquisition, access, use, or disclosure of PHI in a manner not permitted by the Privacy Rule which compromises the security or privacy of the PHI
  • 22. Current state of Data Breaches • Wide range of threat actions (footprint) – Over 20 distinct attack methods found in data set of confirmed security incidents • Attack methods change every year – E.g. Brute force #1 method in 2009, # 12 in 2013 • Financial motivations still highest factor • Network devices are only a conduit in breaches – Servers, user devices are prime targets • ‘Time to compromise’ is far less than ‘time to discovery’ Understanding HIPAA Omnibus Obligations of Business Associates 22 Source: 2014 Verizon Data Breach Investigations Report (DBIR)
  • 23. Why focus on training users? • Healthcare has the highest data breach cost per capita than any other industry ($359, avg = $145) • Strong security posture has the single greatest influence on reducing the cost of a data breach • Reputation and loss of customer loyalty does the most damage to the bottom line Understanding HIPAA Omnibus Obligations of Business Associates 23 Source: Ponemon Institute Reports And yet… • Only 68% of organizations have a formal privacy training program – 32% designate such training as mandatory – 38% provide specialized training – 44% assess the program for effectiveness
  • 24. Role of Business Associates • Over 20% of ALL HHS breach incidents on the ‘Wall of Shame’ involve BA – Approximately 200 of the more than 1000 posted incidents (June, 2014) Understanding HIPAA Omnibus Obligations of Business Associates 24 Source: Health & Human Services (HHS) Most notably… • The all time largest event – TRICARE Sept 2011 breach of 4.9 m records – Due to a BA 90% of all healthcare organizations report one or more data breaches 38% of all healthcare organizations report five or more data breaches Source: Ponemon Institute
  • 25. Macro perspectives • 94% of confirmed data breaches fall into only nine patterns of compromise – POS Intrusions – Web app-attacks – Insider Misuse – Physical Theft/loss – Miscellaneous errors – Crimeware – Card skimmers – DoS Attacks – Cyber espionage – Everything else Understanding HIPAA Omnibus Obligations of Business Associates 25 Healthcare Industry 46% of ALL incidents This is more than twice the rate of ANY other industry Next highest pattern: Insider Misuse (15%)
  • 26. Physical Theft and Loss • Incidents due to ‘loss’ are an astounding 15 times the volume due to ‘theft’ – Two mitigation options: 1. Reduce quantity of events 2. Reduce impact of each event • For #1 - Awareness and training can be a key first step • For #2 – Encryption is essential – a ‘no brainer’ Understanding HIPAA Omnibus Obligations of Business Associates 26 Legal and regulatory reporting requirements suggests a high degree of compliance Primary root cause: Carelessness Keep data close, PHI closer Devices in work areas are not ‘safe’ – even servers Include law enforcement crime reduction tips in awareness training Move PHI to secure storage locations
  • 27. The Solution? Awareness • Loss, theft of data • Insider misuse – Where is PHI? – How can PHI be accessed and used? – Why is that data on a mobile device? – How is that mobile device protected? – Is PHI protected on every storage device and server? – How are user privilege abuses discovered? Encryption • Across all phases – Data at rest – Data in use – Data in transit • Need proof for auditors Understanding HIPAA Omnibus Obligations of Business Associates 27 Relative Fixes: Loss of data – EASY Insider misuse - HARD
  • 28. Corporate Overview 28  Leading Technology Services Integrator • Founded 2001 • Origins in the Intelligence Community, Military and Federal markets • Focus on IT automation for enterprise level engagements  Dedicated Workforce of over 1400 • Majority hold security clearances • 625 hold one or more professional Cyber Security certifications • Over 80 full time cyber security engineers  Developer of Advanced Cyber Analytics Capabilities • Network scanning, device and malware detection algorithms • Data log and sensor feed integration • Cyber Dashboard visualization With over $500 million in annual revenue, NJVC has a proven record of providing performance, commitment and value to our clients.
  • 29. Tools and Resources • CMS, HIPAA Security Series, Volume 2, Paper 2, Security Standards: Administrative Safeguards, May 2005. Revised March 2007 – http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/adminsafeguards.pdf • NJVC White paper “Raising Cyber Security Awareness for Healthcare Professionals” – http://www.njvc.com/resource-center/white-papers-and-case-studies • SAS Training Modules – Awareness Training Modules – http://www.securingthehuman.org/enduser/demo-training-lab • Examples of SANS Modules: – You Are A Target – Social Engineering – Email & Instant Messaging – Browsing – Social Networking – Mobile Device Security – Passwords – Encryption – ETC… 29 Understanding HIPAA Omnibus Obligations of Business Associates
  • 30. Tools and Resources (Cont’d) • Symantec Security Awareness Tech Center. Examples: Security awareness while traveling, Social Media Awareness, ETC. – http://techcenter.symantec.com/ecampus/enterprise?siteName=sena&partNo=SA1000 • Ponemon Institute, Digital Defense SecurED: Experimental Analysis of Training Effectiveness, July 16, 2013. • Ponemon Institute, 2014 Cost of Data Breach Study: Global Analysis – http://www.ponemon.org/blog/ponemon-institute-releases-2014-cost-of-data-breach-global- analysis • Ponemon Institute, Fourth Annual Benchmark Study on Patient Privacy & Data Security – http://www2.idexpertscorp.com/ponemon-report-on-patient-privacy-data-security-incidents/ • Verizon Data Breach Investigations Report (2014) – http://www.verizonenterprise.com/DBIR/2014/?gclid=CL2nwPqfhr4CFYt9Ogod7QUAaw • Redspin Breach Report 2013 (Protected Health Information – PHI – Feb 2014) – http://www.redspin.com/resources/whitepapers-datasheets/Request-2013-Breach-Report- Protected-Health-Information-PHI-Redspin.php Understanding HIPAA Omnibus Obligations of Business Associates 30
  • 31. Contact Information Robert Michalsky Principal, Cyber Security NJVC Robert.michalsky@njvc.com 703-429-9593 Twitter: RobertMichalsky Phyllis Patrick Phyllis A. Patrick & Associates LLC Phyllis@phyllispatrick.com 914-696-3622 31Understanding HIPAA Omnibus Obligations of Business Associates