SlideShare a Scribd company logo

Web hipaa hitech and privacy

Download as PPTX, PDF
Carol Buckmann
Carol Buckmann

This document discusses privacy and security considerations regarding protected health information (PHI) under laws such as HIPAA, HITECH, and state privacy laws. It addresses risks related to employee access of data, use of vendor systems, and data security breaches. Methods for managing these risks include training employees, monitoring access, using strong contracts with vendors that outline data use and security protocols, conducting security audits, and having response plans for privacy incidents and breaches. Enforcement of these laws comes from HHS, state attorneys general, the FTC, and private plaintiffs, with penalties for noncompliance.

1 of 30
© 2015 Epstein Becker & Green, P.C. | All Rights Reserved. ebglaw.com HIPAA, HITECH and Privacy How to Manage Privacy and Security Risks and Considerations
© 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com Presented by Patricia Wagner Member of the Firm pwagner@ebglaw.com 202-861-4182 2
© 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com Privacy and Security Considerations  Privacy • Who has access to the data? • What can be done with the data? • How is data protected from misuse?  Security • How is data secured? • How is security monitored? o Audits o Logs o Other? 3
© 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com Enforcement  Department of Health & Human Services, Office for Civil Rights  State AGs  Federal Trade Commission  Private Plaintiffs 4
© 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com Privacy in State of Union Address  Reported that the State of the Union Address will include new initiatives related to privacy • Setting a national data breach reporting standard • Student Digital Privacy Act (restrict sale of student data) • Consumer Privacy Bill of Rights (reportedly would ensure more control over personal data for individuals, more closely in line with the rules in place in the European Union). 5
© 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com The HIPAA Privacy Rule  The HIPAA Privacy Rule (the “Privacy Rule”) is a set of regulations that requires certain entities to maintain and protect the privacy and security of individually identifiable health information (also known as “protected health information” or “PHI”). 6
© 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com Mantra of HIPAA Privacy Rule  The HIPAA Privacy Standards establish a fundamental presumption that all “Protected Health Information” is confidential, and can only be disclosed with appropriate authorization from the individual  Exceptions to this presumption are limited 7
© 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com HIPAA Security Rule  Requires protection of electronic PHI • Physical Safeguards • Administrative Safeguards • Technical Safeguards 8
© 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com HITECH  Increased penalties for violation of the Privacy and Security Rules  Directly obligates business associates to certain requirements of the Privacy and Security Rules  Requires notification in the event of a breach of PHI 9
© 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com What is PHI?  PHI is information: • in any form of medium, oral or recorded (not just electronic) • that relates to the individual’s health, healthcare, treatment, or payment • that identifies the individual in any way  That means PHI includes: • Name, address, birth date, phone and fax numbers, email address, social security numbers, and other unique identifiers • Type of doctor being visited (when added to something that could identify the patient) • Prescription information, other claims submission data 10
© 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com Examples of PHI for Group Health Plans  Group Health Plans may have PHI in: • Complaints from beneficiaries about whether service is being paid • Claim submissions • Appeals for denied services • Beneficiary support services • EAP documentation • Flexible Spending plan documentation • On-site medical clinics? (not always part of plan but may have special considerations) 11
© 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com Vendors May Have Access to PHI  Vendors • Third party administrator • IT service vendors • Storage facilities • Cloud vendors • On-site medical clinics 12
© 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com Privacy Risks  The “rogue employee” • Someone accesses and using information in a way not permitted under the Privacy Rule, or other laws.  A Vendor’s rogue employee  A Vendor’s use of the data • what contractual rights did they reserve? 13
© 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com Rogue Employee  Walgreen Case (in Indiana) • Pharmacist viewed prescription records of a customer • Customer’s ex-boyfriend tells customer he has a print out of her records • Two years later customer finds out the ex-boyfriend is now married to Walgreen pharmacist • Pharmacist maintains she looked at customer’s record but never shared it • Customer files litigation • Trial ensues and jury delivers verdict $1.4 million for plaintiff 14
© 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com Rogue employee  Court held, and appellate court upheld • Employer responsible for acts of employee when conduct is within scope of employment o Within scope -- “incidental to job duties or originated in activities closely associated with job • As a result Walgreen and individual defendants are jointly liable for $1.4 million 15
© 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com Privacy Gaining More Interest  Recent Letter from Senator Al Franken related to employees use of information provided to organization • Letter request asks for information related to o Steps taken to limit access to data by employees o Training provided to employees o Monitoring processes o Disciplinary policies 16
© 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com Other Employee Situations  The helper (shares information to “help”)  The deflector (uses privacy to deflect from the other issue)  The criminal (steals information to sell)  The case builder (takes information to “bolster” claims) 17
© 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com Managing Employee Risk?  Training  Auditing  Disciplinary actions  Top down focus on privacy and security  Clear policies 18
© 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com Privacy Risks  The “rogue employee” • Someone accesses and using information in a way not permitted under the Privacy Rule, or other laws.  A Vendor’s rogue employee  A Vendor’s use of the data • what contractual rights did they reserve? 19
© 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com Managing Vendor Risk  Dealing with reputable vendors  Strong contract language that • Protects data rights (may even want to protect data rights of de-identified data) • Limits use of data by vendor 20
© 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com Security Risks  Breach of information  Breach can occur through • Hacking • Lost device • Errant email • Lost mail or package 21
© 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com Sample of Security Breach Affecting Employees  Sony Breach - Class Action Suit already filed • Plaintiffs (former employees) allege that the following information was affected by the breach: o A Microsoft Excel document that contains the name, location, employee ID, network username, base salary and date of birth for more than 6,800 people; o A status report from April 2014 listing the names, dates of birth, Social Security numbers and health savings account data on more than 700 Sony employees; and o A file that appears to be the product of an internal audit from PriceWaterhouseCoopers, made up of screen shots of dozens of employees’ federal tax records and other compensation data. 22
© 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com Managing Security Risks  Strong IT and Security Controls  Audits  Scans  Risk Assessments  “Dummy” calls 23
© 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com Managing Vendor Risk?  Strong contracts • Responsibility for breaches • What happens to data when contract is terminated  Diligence on vendors • How do you safeguard employee information? • Have you had any reportable breaches? • Do you have an incident response policy? • Do you store information or do you use a vendor to do so?  How do you assess the responses? 24
© 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com Cloud Vendor Special Issues  Limited negotiation power (“we don’t negotiate our agreements”)  May be reluctant to impart details related to security posture (which may be a good sign)  May charge “a la carte” fees for additional security measures (e.g., pay for meeting obligations of BA agreement) 25
© 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com Business Associate Agreements  Vendors that use, disclose, or maintain PHI should have a business associate agreement with the plan  Business Associate Agreement should have provisions required by regulation  Other provisions • De-identification (some vendors include data rights provisions in de- identification provisions) • Data aggregation (some vendors craft broad aggregation rights into this provision) • Protection in the event of a security breach (indemnification, insurance, other language) • Disclaimer of agency 26
© 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com Compliance Tips  Training  Monitoring  Have a Fulsome Complaint Process  Don’t ignore issues (mitigate)  Get the full story 27
© 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com Other Areas of Focus for Privacy/Security  Mobile Devices • Phones, Tablets, Laptops o Screen locks o Encryption o Selected Models o Limit Storage o Limit activities?  Social Media (Twitter, Facebook, etc. etc)  Strong policy, but aware of laws 28
© 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com HIPAA Civil Penalties 29 Violation Category Each violation All such violations of an identical provision in a calendar year (A) Did Not Know $100–$50,000 $1,500,000 (B) Reasonable Cause $1,000–50,000 $1,500,000 (C)(i) Willful Neglect-Corrected $10,000–50,000 $1,500,000 (C)(ii) Willful Neglect-Not Corrected $50,000 1,500,000 $1,500,000 Criminal Penalties Can Also Apply
© 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com Questions? 30

Recommended

GDPR for Non-European Region - Financial Services EL
GDPR for Non-European Region - Financial Services ELGDPR for Non-European Region - Financial Services EL
GDPR for Non-European Region - Financial Services EL
Eugene Lee
 
Data Protection and Privacy
Data Protection and PrivacyData Protection and Privacy
Data Protection and Privacy
Vertex Holdings
 
Getting to Accountability Karbaliotis and Patrikios-Oct 22 2015
Getting to Accountability Karbaliotis and Patrikios-Oct 22 2015Getting to Accountability Karbaliotis and Patrikios-Oct 22 2015
Getting to Accountability Karbaliotis and Patrikios-Oct 22 2015
Constantine Karbaliotis
 
GDPR From Implementation to Opportunity
GDPR From Implementation to OpportunityGDPR From Implementation to Opportunity
GDPR From Implementation to Opportunity
Dean Sappey
 
Gdpr and ISMS Quick Map Framework EL
Gdpr and ISMS Quick Map Framework ELGdpr and ISMS Quick Map Framework EL
Gdpr and ISMS Quick Map Framework EL
Eugene Lee
 
GDPR Overview
GDPR OverviewGDPR Overview
GDPR Overview
Trish McGinity, CCSK
 
Gdpr overview ciso platform presentation
Gdpr overview ciso platform presentationGdpr overview ciso platform presentation
Gdpr overview ciso platform presentation
Priyanka Aash
 
Data protection
Data protectionData protection
Data protectionLewis Silkin
 

Recommended

GDPR for Non-European Region - Financial Services EL
GDPR for Non-European Region - Financial Services ELGDPR for Non-European Region - Financial Services EL
GDPR for Non-European Region - Financial Services EL
Eugene Lee
 
Data Protection and Privacy
Data Protection and PrivacyData Protection and Privacy
Data Protection and Privacy
Vertex Holdings
 
Getting to Accountability Karbaliotis and Patrikios-Oct 22 2015
Getting to Accountability Karbaliotis and Patrikios-Oct 22 2015Getting to Accountability Karbaliotis and Patrikios-Oct 22 2015
Getting to Accountability Karbaliotis and Patrikios-Oct 22 2015
Constantine Karbaliotis
 
GDPR From Implementation to Opportunity
GDPR From Implementation to OpportunityGDPR From Implementation to Opportunity
GDPR From Implementation to Opportunity
Dean Sappey
 
Gdpr and ISMS Quick Map Framework EL
Gdpr and ISMS Quick Map Framework ELGdpr and ISMS Quick Map Framework EL
Gdpr and ISMS Quick Map Framework EL
Eugene Lee
 
GDPR Overview
GDPR OverviewGDPR Overview
GDPR Overview
Trish McGinity, CCSK
 
Gdpr overview ciso platform presentation
Gdpr overview ciso platform presentationGdpr overview ciso platform presentation
Gdpr overview ciso platform presentation
Priyanka Aash
 
Data protection
Data protectionData protection
Data protectionLewis Silkin
 
Red7 Medical Identity Security and Data Protection
Red7 Medical Identity Security and Data ProtectionRed7 Medical Identity Security and Data Protection
Red7 Medical Identity Security and Data Protection
Robert Grupe, CSSLP CISSP PE PMP
 
GDPR The New Data Protection Law coming into effect May 2018. What does it me...
GDPR The New Data Protection Law coming into effect May 2018. What does it me...GDPR The New Data Protection Law coming into effect May 2018. What does it me...
GDPR The New Data Protection Law coming into effect May 2018. What does it me...
eHealth Forum
 
General Data Protection Regulation
General Data Protection RegulationGeneral Data Protection Regulation
General Data Protection Regulation
BCC - Solutions for IBM Collaboration Software
 
Teleran Data Protection - Addressing 5 Critical GDPR Requirements
Teleran Data Protection - Addressing 5 Critical GDPR RequirementsTeleran Data Protection - Addressing 5 Critical GDPR Requirements
Teleran Data Protection - Addressing 5 Critical GDPR Requirements
Chris Doolittle
 
Data protection
Data protectionData protection
Data protection
RaviPrashant5
 
GDPR Presentation slides
GDPR Presentation slidesGDPR Presentation slides
GDPR Presentation slides
Naomi Holmes
 
General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...
Cvent
 
Impact of GDPR on Canada May 2016 - Presented at IAPP Canada Symposium
Impact of GDPR on Canada May 2016 - Presented at IAPP Canada SymposiumImpact of GDPR on Canada May 2016 - Presented at IAPP Canada Symposium
Impact of GDPR on Canada May 2016 - Presented at IAPP Canada SymposiumConstantine Karbaliotis
 
GDPR and ISO27001 mapping EL
GDPR and ISO27001 mapping ELGDPR and ISO27001 mapping EL
GDPR and ISO27001 mapping EL
Eugene Lee
 
Complete Guide to General Data Protection Regulation (GDPR)
Complete Guide to General Data Protection Regulation (GDPR)Complete Guide to General Data Protection Regulation (GDPR)
Complete Guide to General Data Protection Regulation (GDPR)
Happiest Minds Technologies
 
Data Privacy Trends in 2021: Compliance with New Regulations
Data Privacy Trends in 2021: Compliance with New RegulationsData Privacy Trends in 2021: Compliance with New Regulations
Data Privacy Trends in 2021: Compliance with New Regulations
PECB
 
GDPR for Dummies
GDPR for DummiesGDPR for Dummies
GDPR for Dummies
Caroline Boscher
 
GDPR Awareness for YOU
GDPR Awareness for YOUGDPR Awareness for YOU
GDPR Awareness for YOU
Cliff Gibson
 
Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)
Acquia
 
Introduction to gdpr
Introduction to gdprIntroduction to gdpr
Introduction to gdpr
3GDR
 
What does GDPR mean for your charity?
What does GDPR mean for your charity?What does GDPR mean for your charity?
What does GDPR mean for your charity?
NCVO - National Council for Voluntary Organisations
 
GDPR Demystified
GDPR DemystifiedGDPR Demystified
GDPR Demystified
SPIN Chennai
 
Get you and your business GDPR ready
Get you and your business GDPR readyGet you and your business GDPR ready
Get you and your business GDPR ready
Harrison Clark Rickerbys
 
DAMA Ireland - GDPR
DAMA Ireland - GDPRDAMA Ireland - GDPR
DAMA Ireland - GDPR
DAMA Ireland
 
Introduction to Data Security Breach Preparedness with Model Data Security Br...
Introduction to Data Security Breach Preparedness with Model Data Security Br...Introduction to Data Security Breach Preparedness with Model Data Security Br...
Introduction to Data Security Breach Preparedness with Model Data Security Br...
- Mark - Fullbright
 
Business Associates: How to become HIPAA compliant, increase revenue, and gai...
Business Associates: How to become HIPAA compliant, increase revenue, and gai...Business Associates: How to become HIPAA compliant, increase revenue, and gai...
Business Associates: How to become HIPAA compliant, increase revenue, and gai...
Compliancy Group
 
Proactive Health Care Regulatory Compliance - Proactive Compliance Initiative...
Proactive Health Care Regulatory Compliance - Proactive Compliance Initiative...Proactive Health Care Regulatory Compliance - Proactive Compliance Initiative...
Proactive Health Care Regulatory Compliance - Proactive Compliance Initiative...
Epstein Becker Green
 

More Related Content

What's hot

Red7 Medical Identity Security and Data Protection
Red7 Medical Identity Security and Data ProtectionRed7 Medical Identity Security and Data Protection
Red7 Medical Identity Security and Data Protection
Robert Grupe, CSSLP CISSP PE PMP
 
GDPR The New Data Protection Law coming into effect May 2018. What does it me...
GDPR The New Data Protection Law coming into effect May 2018. What does it me...GDPR The New Data Protection Law coming into effect May 2018. What does it me...
GDPR The New Data Protection Law coming into effect May 2018. What does it me...
eHealth Forum
 
General Data Protection Regulation
General Data Protection RegulationGeneral Data Protection Regulation
General Data Protection Regulation
BCC - Solutions for IBM Collaboration Software
 
Teleran Data Protection - Addressing 5 Critical GDPR Requirements
Teleran Data Protection - Addressing 5 Critical GDPR RequirementsTeleran Data Protection - Addressing 5 Critical GDPR Requirements
Teleran Data Protection - Addressing 5 Critical GDPR Requirements
Chris Doolittle
 
Data protection
Data protectionData protection
Data protection
RaviPrashant5
 
GDPR Presentation slides
GDPR Presentation slidesGDPR Presentation slides
GDPR Presentation slides
Naomi Holmes
 
General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...
Cvent
 
Impact of GDPR on Canada May 2016 - Presented at IAPP Canada Symposium
Impact of GDPR on Canada May 2016 - Presented at IAPP Canada SymposiumImpact of GDPR on Canada May 2016 - Presented at IAPP Canada Symposium
Impact of GDPR on Canada May 2016 - Presented at IAPP Canada SymposiumConstantine Karbaliotis
 
GDPR and ISO27001 mapping EL
GDPR and ISO27001 mapping ELGDPR and ISO27001 mapping EL
GDPR and ISO27001 mapping EL
Eugene Lee
 
Complete Guide to General Data Protection Regulation (GDPR)
Complete Guide to General Data Protection Regulation (GDPR)Complete Guide to General Data Protection Regulation (GDPR)
Complete Guide to General Data Protection Regulation (GDPR)
Happiest Minds Technologies
 
Data Privacy Trends in 2021: Compliance with New Regulations
Data Privacy Trends in 2021: Compliance with New RegulationsData Privacy Trends in 2021: Compliance with New Regulations
Data Privacy Trends in 2021: Compliance with New Regulations
PECB
 
GDPR for Dummies
GDPR for DummiesGDPR for Dummies
GDPR for Dummies
Caroline Boscher
 
GDPR Awareness for YOU
GDPR Awareness for YOUGDPR Awareness for YOU
GDPR Awareness for YOU
Cliff Gibson
 
Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)
Acquia
 
Introduction to gdpr
Introduction to gdprIntroduction to gdpr
Introduction to gdpr
3GDR
 
What does GDPR mean for your charity?
What does GDPR mean for your charity?What does GDPR mean for your charity?
What does GDPR mean for your charity?
NCVO - National Council for Voluntary Organisations
 
GDPR Demystified
GDPR DemystifiedGDPR Demystified
GDPR Demystified
SPIN Chennai
 
Get you and your business GDPR ready
Get you and your business GDPR readyGet you and your business GDPR ready
Get you and your business GDPR ready
Harrison Clark Rickerbys
 
DAMA Ireland - GDPR
DAMA Ireland - GDPRDAMA Ireland - GDPR
DAMA Ireland - GDPR
DAMA Ireland
 
Introduction to Data Security Breach Preparedness with Model Data Security Br...
Introduction to Data Security Breach Preparedness with Model Data Security Br...Introduction to Data Security Breach Preparedness with Model Data Security Br...
Introduction to Data Security Breach Preparedness with Model Data Security Br...
- Mark - Fullbright
 

What's hot (20)

Red7 Medical Identity Security and Data Protection
Red7 Medical Identity Security and Data ProtectionRed7 Medical Identity Security and Data Protection
Red7 Medical Identity Security and Data Protection
 
GDPR The New Data Protection Law coming into effect May 2018. What does it me...
GDPR The New Data Protection Law coming into effect May 2018. What does it me...GDPR The New Data Protection Law coming into effect May 2018. What does it me...
GDPR The New Data Protection Law coming into effect May 2018. What does it me...
 
General Data Protection Regulation
General Data Protection RegulationGeneral Data Protection Regulation
General Data Protection Regulation
 
Teleran Data Protection - Addressing 5 Critical GDPR Requirements
Teleran Data Protection - Addressing 5 Critical GDPR RequirementsTeleran Data Protection - Addressing 5 Critical GDPR Requirements
Teleran Data Protection - Addressing 5 Critical GDPR Requirements
 
Data protection
Data protectionData protection
Data protection
 
GDPR Presentation slides
GDPR Presentation slidesGDPR Presentation slides
GDPR Presentation slides
 
General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...
 
Impact of GDPR on Canada May 2016 - Presented at IAPP Canada Symposium
Impact of GDPR on Canada May 2016 - Presented at IAPP Canada SymposiumImpact of GDPR on Canada May 2016 - Presented at IAPP Canada Symposium
Impact of GDPR on Canada May 2016 - Presented at IAPP Canada Symposium
 
GDPR and ISO27001 mapping EL
GDPR and ISO27001 mapping ELGDPR and ISO27001 mapping EL
GDPR and ISO27001 mapping EL
 
Complete Guide to General Data Protection Regulation (GDPR)
Complete Guide to General Data Protection Regulation (GDPR)Complete Guide to General Data Protection Regulation (GDPR)
Complete Guide to General Data Protection Regulation (GDPR)
 
Data Privacy Trends in 2021: Compliance with New Regulations
Data Privacy Trends in 2021: Compliance with New RegulationsData Privacy Trends in 2021: Compliance with New Regulations
Data Privacy Trends in 2021: Compliance with New Regulations
 
GDPR for Dummies
GDPR for DummiesGDPR for Dummies
GDPR for Dummies
 
GDPR Awareness for YOU
GDPR Awareness for YOUGDPR Awareness for YOU
GDPR Awareness for YOU
 
Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)
 
Introduction to gdpr
Introduction to gdprIntroduction to gdpr
Introduction to gdpr
 
What does GDPR mean for your charity?
What does GDPR mean for your charity?What does GDPR mean for your charity?
What does GDPR mean for your charity?
 
GDPR Demystified
GDPR DemystifiedGDPR Demystified
GDPR Demystified
 
Get you and your business GDPR ready
Get you and your business GDPR readyGet you and your business GDPR ready
Get you and your business GDPR ready
 
DAMA Ireland - GDPR
DAMA Ireland - GDPRDAMA Ireland - GDPR
DAMA Ireland - GDPR
 
Introduction to Data Security Breach Preparedness with Model Data Security Br...
Introduction to Data Security Breach Preparedness with Model Data Security Br...Introduction to Data Security Breach Preparedness with Model Data Security Br...
Introduction to Data Security Breach Preparedness with Model Data Security Br...
 

Similar to Web hipaa hitech and privacy

Business Associates: How to become HIPAA compliant, increase revenue, and gai...
Business Associates: How to become HIPAA compliant, increase revenue, and gai...Business Associates: How to become HIPAA compliant, increase revenue, and gai...
Business Associates: How to become HIPAA compliant, increase revenue, and gai...
Compliancy Group
 
Proactive Health Care Regulatory Compliance - Proactive Compliance Initiative...
Proactive Health Care Regulatory Compliance - Proactive Compliance Initiative...Proactive Health Care Regulatory Compliance - Proactive Compliance Initiative...
Proactive Health Care Regulatory Compliance - Proactive Compliance Initiative...
Epstein Becker Green
 
Enterprise Risk Management & Cybersecurity: Is Your Health Plan Ready?
Enterprise Risk Management & Cybersecurity: Is Your Health Plan Ready?Enterprise Risk Management & Cybersecurity: Is Your Health Plan Ready?
Enterprise Risk Management & Cybersecurity: Is Your Health Plan Ready?
Epstein Becker Green
 
Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...
Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...
Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...
Diana Maier
 
HIPAA Security 2019
HIPAA Security 2019HIPAA Security 2019
HIPAA Security 2019
Jose Ivan Delgado, Ph.D.
 
HIPAA 101- What all Doctors NEED to know
HIPAA 101- What all Doctors NEED to knowHIPAA 101- What all Doctors NEED to know
HIPAA 101- What all Doctors NEED to know
Compliancy Group
 
HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013
HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013
HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013
RightScale
 
Data Breach Response: Realtime Cyber Incident Simulation
Data Breach Response: Realtime Cyber Incident SimulationData Breach Response: Realtime Cyber Incident Simulation
Data Breach Response: Realtime Cyber Incident Simulation
Bradley Arant Boult Cummings LLP
 
Add-On Diligence Strategy: Proactive Compliance Initiatives for Private Equit...
Add-On Diligence Strategy: Proactive Compliance Initiatives for Private Equit...Add-On Diligence Strategy: Proactive Compliance Initiatives for Private Equit...
Add-On Diligence Strategy: Proactive Compliance Initiatives for Private Equit...
Epstein Becker Green
 
HIPAA Privacy, Security, Breach Overview
HIPAA Privacy, Security, Breach OverviewHIPAA Privacy, Security, Breach Overview
HIPAA Privacy, Security, Breach Overview
HealthCare Too, LLC
 
Top Health Care Regulatory Trends: New Risks and Opportunities
Top Health Care Regulatory Trends: New Risks and OpportunitiesTop Health Care Regulatory Trends: New Risks and Opportunities
Top Health Care Regulatory Trends: New Risks and Opportunities
Epstein Becker Green
 
Introduction to US Privacy and Data Security: Regulations and Requirements
Introduction to US Privacy and Data Security: Regulations and RequirementsIntroduction to US Privacy and Data Security: Regulations and Requirements
Introduction to US Privacy and Data Security: Regulations and Requirements
Financial Poise
 
Signs You May Have a Problem: White-Collar Crash Course Webinar Series
Signs You May Have a Problem: White-Collar Crash Course Webinar SeriesSigns You May Have a Problem: White-Collar Crash Course Webinar Series
Signs You May Have a Problem: White-Collar Crash Course Webinar Series
Epstein Becker Green
 
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Financial Poise
 
Business Law Training: Pushing CCPA Compliance Over the Finish Line: New Deve...
Business Law Training: Pushing CCPA Compliance Over the Finish Line: New Deve...Business Law Training: Pushing CCPA Compliance Over the Finish Line: New Deve...
Business Law Training: Pushing CCPA Compliance Over the Finish Line: New Deve...
Quarles & Brady
 
Privacy law-update-whitmeyer-tuffin
Privacy law-update-whitmeyer-tuffinPrivacy law-update-whitmeyer-tuffin
Privacy law-update-whitmeyer-tuffin
WhitmeyerTuffin
 
HIPAA Compliance and Security in a Mobile World
HIPAA Compliance and Security in a Mobile WorldHIPAA Compliance and Security in a Mobile World
HIPAA Compliance and Security in a Mobile World
Ryan Snell
 
Healthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUSTHealthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUST
ControlCase
 
Recent Investigation and Enforcement Trends: 2016 Compliance and TPL Focused ...
Recent Investigation and Enforcement Trends: 2016 Compliance and TPL Focused ...Recent Investigation and Enforcement Trends: 2016 Compliance and TPL Focused ...
Recent Investigation and Enforcement Trends: 2016 Compliance and TPL Focused ...
Epstein Becker Green
 

Similar to Web hipaa hitech and privacy (20)

Business Associates: How to become HIPAA compliant, increase revenue, and gai...
Business Associates: How to become HIPAA compliant, increase revenue, and gai...Business Associates: How to become HIPAA compliant, increase revenue, and gai...
Business Associates: How to become HIPAA compliant, increase revenue, and gai...
 
Proactive Health Care Regulatory Compliance - Proactive Compliance Initiative...
Proactive Health Care Regulatory Compliance - Proactive Compliance Initiative...Proactive Health Care Regulatory Compliance - Proactive Compliance Initiative...
Proactive Health Care Regulatory Compliance - Proactive Compliance Initiative...
 
Enterprise Risk Management & Cybersecurity: Is Your Health Plan Ready?
Enterprise Risk Management & Cybersecurity: Is Your Health Plan Ready?Enterprise Risk Management & Cybersecurity: Is Your Health Plan Ready?
Enterprise Risk Management & Cybersecurity: Is Your Health Plan Ready?
 
Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...
Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...
Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...
 
HIPAA Overview
HIPAA OverviewHIPAA Overview
HIPAA Overview
 
HIPAA Security 2019
HIPAA Security 2019HIPAA Security 2019
HIPAA Security 2019
 
HIPAA 101- What all Doctors NEED to know
HIPAA 101- What all Doctors NEED to knowHIPAA 101- What all Doctors NEED to know
HIPAA 101- What all Doctors NEED to know
 
HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013
HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013
HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013
 
Data Breach Response: Realtime Cyber Incident Simulation
Data Breach Response: Realtime Cyber Incident SimulationData Breach Response: Realtime Cyber Incident Simulation
Data Breach Response: Realtime Cyber Incident Simulation
 
Add-On Diligence Strategy: Proactive Compliance Initiatives for Private Equit...
Add-On Diligence Strategy: Proactive Compliance Initiatives for Private Equit...Add-On Diligence Strategy: Proactive Compliance Initiatives for Private Equit...
Add-On Diligence Strategy: Proactive Compliance Initiatives for Private Equit...
 
HIPAA Privacy, Security, Breach Overview
HIPAA Privacy, Security, Breach OverviewHIPAA Privacy, Security, Breach Overview
HIPAA Privacy, Security, Breach Overview
 
Top Health Care Regulatory Trends: New Risks and Opportunities
Top Health Care Regulatory Trends: New Risks and OpportunitiesTop Health Care Regulatory Trends: New Risks and Opportunities
Top Health Care Regulatory Trends: New Risks and Opportunities
 
Introduction to US Privacy and Data Security: Regulations and Requirements
Introduction to US Privacy and Data Security: Regulations and RequirementsIntroduction to US Privacy and Data Security: Regulations and Requirements
Introduction to US Privacy and Data Security: Regulations and Requirements
 
Signs You May Have a Problem: White-Collar Crash Course Webinar Series
Signs You May Have a Problem: White-Collar Crash Course Webinar SeriesSigns You May Have a Problem: White-Collar Crash Course Webinar Series
Signs You May Have a Problem: White-Collar Crash Course Webinar Series
 
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
 
Business Law Training: Pushing CCPA Compliance Over the Finish Line: New Deve...
Business Law Training: Pushing CCPA Compliance Over the Finish Line: New Deve...Business Law Training: Pushing CCPA Compliance Over the Finish Line: New Deve...
Business Law Training: Pushing CCPA Compliance Over the Finish Line: New Deve...
 
Privacy law-update-whitmeyer-tuffin
Privacy law-update-whitmeyer-tuffinPrivacy law-update-whitmeyer-tuffin
Privacy law-update-whitmeyer-tuffin
 
HIPAA Compliance and Security in a Mobile World
HIPAA Compliance and Security in a Mobile WorldHIPAA Compliance and Security in a Mobile World
HIPAA Compliance and Security in a Mobile World
 
Healthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUSTHealthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUST
 
Recent Investigation and Enforcement Trends: 2016 Compliance and TPL Focused ...
Recent Investigation and Enforcement Trends: 2016 Compliance and TPL Focused ...Recent Investigation and Enforcement Trends: 2016 Compliance and TPL Focused ...
Recent Investigation and Enforcement Trends: 2016 Compliance and TPL Focused ...
 

More from Carol Buckmann

Pw c web june 2019
Pw c web june 2019Pw c web june 2019
Pw c web june 2019
Carol Buckmann
 
Web presentation may 2019 (costin)
Web presentation may 2019 (costin)Web presentation may 2019 (costin)
Web presentation may 2019 (costin)
Carol Buckmann
 
Fin well sponsor presentation may 2019-web nyc
Fin well sponsor presentation may 2019-web nycFin well sponsor presentation may 2019-web nyc
Fin well sponsor presentation may 2019-web nyc
Carol Buckmann
 
Webny 04182019 final
Webny 04182019 finalWebny 04182019 final
Webny 04182019 final
Carol Buckmann
 
032119 -als--best practices prsn
032119 -als--best practices prsn032119 -als--best practices prsn
032119 -als--best practices prsn
Carol Buckmann
 
Operating in compliance. understanding irs and dol audit hot button issues an...
Operating in compliance. understanding irs and dol audit hot button issues an...Operating in compliance. understanding irs and dol audit hot button issues an...
Operating in compliance. understanding irs and dol audit hot button issues an...
Carol Buckmann
 
Operating in compliance. understanding irs and dol audit hot button issues an...
Operating in compliance. understanding irs and dol audit hot button issues an...Operating in compliance. understanding irs and dol audit hot button issues an...
Operating in compliance. understanding irs and dol audit hot button issues an...
Carol Buckmann
 
Pw c web 06.21.2018 final
Pw c web 06.21.2018 finalPw c web 06.21.2018 final
Pw c web 06.21.2018 final
Carol Buckmann
 
Conduent pw c_web (06-21-18) nsformatted (formatted)rev 6-20
Conduent pw c_web (06-21-18) nsformatted (formatted)rev 6-20Conduent pw c_web (06-21-18) nsformatted (formatted)rev 6-20
Conduent pw c_web (06-21-18) nsformatted (formatted)rev 6-20
Carol Buckmann
 
Web 05172018 Health Plan Hot Spots
Web 05172018 Health Plan Hot SpotsWeb 05172018 Health Plan Hot Spots
Web 05172018 Health Plan Hot Spots
Carol Buckmann
 
Retirement Plans Under Attack-What Are Plan Sponsors Doing Now?
Retirement Plans Under Attack-What Are Plan Sponsors Doing Now?Retirement Plans Under Attack-What Are Plan Sponsors Doing Now?
Retirement Plans Under Attack-What Are Plan Sponsors Doing Now?
Carol Buckmann
 
Protecting Fiduciaries: ERISA Insurance, Bonding, and More
Protecting Fiduciaries: ERISA Insurance, Bonding, and MoreProtecting Fiduciaries: ERISA Insurance, Bonding, and More
Protecting Fiduciaries: ERISA Insurance, Bonding, and More
Carol Buckmann
 
Web ny chapter tax reform legislation presentation
Web ny chapter tax reform legislation presentationWeb ny chapter tax reform legislation presentation
Web ny chapter tax reform legislation presentation
Carol Buckmann
 
Nyc WEB-What's Keeping Plan Sponsors Up at Night
Nyc WEB-What's Keeping Plan Sponsors Up at NightNyc WEB-What's Keeping Plan Sponsors Up at Night
Nyc WEB-What's Keeping Plan Sponsors Up at Night
Carol Buckmann
 
Pwc nyc web 06.22.2017
Pwc nyc web 06.22.2017Pwc nyc web 06.22.2017
Pwc nyc web 06.22.2017
Carol Buckmann
 
Conduent pw c_web june 2017 (revised deck 6-21-17(mary m)
Conduent pw c_web june 2017 (revised deck 6-21-17(mary m)Conduent pw c_web june 2017 (revised deck 6-21-17(mary m)
Conduent pw c_web june 2017 (revised deck 6-21-17(mary m)
Carol Buckmann
 
Withdrawal liability the great imposition on contributing employers - ... -...
Withdrawal liability the great imposition on contributing employers - ... -...Withdrawal liability the great imposition on contributing employers - ... -...
Withdrawal liability the great imposition on contributing employers - ... -...
Carol Buckmann
 
Webny presentation april 20, 2017
Webny presentation april 20, 2017Webny presentation april 20, 2017
Webny presentation april 20, 2017
Carol Buckmann
 
Ny web presentation 1(1)
Ny web presentation 1(1)Ny web presentation 1(1)
Ny web presentation 1(1)
Carol Buckmann
 
Richard Schwartz Interview
Richard Schwartz InterviewRichard Schwartz Interview
Richard Schwartz Interview
Carol Buckmann
 

More from Carol Buckmann (20)

Pw c web june 2019
Pw c web june 2019Pw c web june 2019
Pw c web june 2019
 
Web presentation may 2019 (costin)
Web presentation may 2019 (costin)Web presentation may 2019 (costin)
Web presentation may 2019 (costin)
 
Fin well sponsor presentation may 2019-web nyc
Fin well sponsor presentation may 2019-web nycFin well sponsor presentation may 2019-web nyc
Fin well sponsor presentation may 2019-web nyc
 
Webny 04182019 final
Webny 04182019 finalWebny 04182019 final
Webny 04182019 final
 
032119 -als--best practices prsn
032119 -als--best practices prsn032119 -als--best practices prsn
032119 -als--best practices prsn
 
Operating in compliance. understanding irs and dol audit hot button issues an...
Operating in compliance. understanding irs and dol audit hot button issues an...Operating in compliance. understanding irs and dol audit hot button issues an...
Operating in compliance. understanding irs and dol audit hot button issues an...
 
Operating in compliance. understanding irs and dol audit hot button issues an...
Operating in compliance. understanding irs and dol audit hot button issues an...Operating in compliance. understanding irs and dol audit hot button issues an...
Operating in compliance. understanding irs and dol audit hot button issues an...
 
Pw c web 06.21.2018 final
Pw c web 06.21.2018 finalPw c web 06.21.2018 final
Pw c web 06.21.2018 final
 
Conduent pw c_web (06-21-18) nsformatted (formatted)rev 6-20
Conduent pw c_web (06-21-18) nsformatted (formatted)rev 6-20Conduent pw c_web (06-21-18) nsformatted (formatted)rev 6-20
Conduent pw c_web (06-21-18) nsformatted (formatted)rev 6-20
 
Web 05172018 Health Plan Hot Spots
Web 05172018 Health Plan Hot SpotsWeb 05172018 Health Plan Hot Spots
Web 05172018 Health Plan Hot Spots
 
Retirement Plans Under Attack-What Are Plan Sponsors Doing Now?
Retirement Plans Under Attack-What Are Plan Sponsors Doing Now?Retirement Plans Under Attack-What Are Plan Sponsors Doing Now?
Retirement Plans Under Attack-What Are Plan Sponsors Doing Now?
 
Protecting Fiduciaries: ERISA Insurance, Bonding, and More
Protecting Fiduciaries: ERISA Insurance, Bonding, and MoreProtecting Fiduciaries: ERISA Insurance, Bonding, and More
Protecting Fiduciaries: ERISA Insurance, Bonding, and More
 
Web ny chapter tax reform legislation presentation
Web ny chapter tax reform legislation presentationWeb ny chapter tax reform legislation presentation
Web ny chapter tax reform legislation presentation
 
Nyc WEB-What's Keeping Plan Sponsors Up at Night
Nyc WEB-What's Keeping Plan Sponsors Up at NightNyc WEB-What's Keeping Plan Sponsors Up at Night
Nyc WEB-What's Keeping Plan Sponsors Up at Night
 
Pwc nyc web 06.22.2017
Pwc nyc web 06.22.2017Pwc nyc web 06.22.2017
Pwc nyc web 06.22.2017
 
Conduent pw c_web june 2017 (revised deck 6-21-17(mary m)
Conduent pw c_web june 2017 (revised deck 6-21-17(mary m)Conduent pw c_web june 2017 (revised deck 6-21-17(mary m)
Conduent pw c_web june 2017 (revised deck 6-21-17(mary m)
 
Withdrawal liability the great imposition on contributing employers - ... -...
Withdrawal liability the great imposition on contributing employers - ... -...Withdrawal liability the great imposition on contributing employers - ... -...
Withdrawal liability the great imposition on contributing employers - ... -...
 
Webny presentation april 20, 2017
Webny presentation april 20, 2017Webny presentation april 20, 2017
Webny presentation april 20, 2017
 
Ny web presentation 1(1)
Ny web presentation 1(1)Ny web presentation 1(1)
Ny web presentation 1(1)
 
Richard Schwartz Interview
Richard Schwartz InterviewRichard Schwartz Interview
Richard Schwartz Interview
 

Web hipaa hitech and privacy

  • 1. © 2015 Epstein Becker & Green, P.C. | All Rights Reserved. ebglaw.com HIPAA, HITECH and Privacy How to Manage Privacy and Security Risks and Considerations
  • 2. © 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com Presented by Patricia Wagner Member of the Firm pwagner@ebglaw.com 202-861-4182 2
  • 3. © 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com Privacy and Security Considerations  Privacy • Who has access to the data? • What can be done with the data? • How is data protected from misuse?  Security • How is data secured? • How is security monitored? o Audits o Logs o Other? 3
  • 4. © 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com Enforcement  Department of Health & Human Services, Office for Civil Rights  State AGs  Federal Trade Commission  Private Plaintiffs 4
  • 5. © 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com Privacy in State of Union Address  Reported that the State of the Union Address will include new initiatives related to privacy • Setting a national data breach reporting standard • Student Digital Privacy Act (restrict sale of student data) • Consumer Privacy Bill of Rights (reportedly would ensure more control over personal data for individuals, more closely in line with the rules in place in the European Union). 5
  • 6. © 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com The HIPAA Privacy Rule  The HIPAA Privacy Rule (the “Privacy Rule”) is a set of regulations that requires certain entities to maintain and protect the privacy and security of individually identifiable health information (also known as “protected health information” or “PHI”). 6
  • 7. © 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com Mantra of HIPAA Privacy Rule  The HIPAA Privacy Standards establish a fundamental presumption that all “Protected Health Information” is confidential, and can only be disclosed with appropriate authorization from the individual  Exceptions to this presumption are limited 7
  • 8. © 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com HIPAA Security Rule  Requires protection of electronic PHI • Physical Safeguards • Administrative Safeguards • Technical Safeguards 8
  • 9. © 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com HITECH  Increased penalties for violation of the Privacy and Security Rules  Directly obligates business associates to certain requirements of the Privacy and Security Rules  Requires notification in the event of a breach of PHI 9
  • 10. © 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com What is PHI?  PHI is information: • in any form of medium, oral or recorded (not just electronic) • that relates to the individual’s health, healthcare, treatment, or payment • that identifies the individual in any way  That means PHI includes: • Name, address, birth date, phone and fax numbers, email address, social security numbers, and other unique identifiers • Type of doctor being visited (when added to something that could identify the patient) • Prescription information, other claims submission data 10
  • 11. © 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com Examples of PHI for Group Health Plans  Group Health Plans may have PHI in: • Complaints from beneficiaries about whether service is being paid • Claim submissions • Appeals for denied services • Beneficiary support services • EAP documentation • Flexible Spending plan documentation • On-site medical clinics? (not always part of plan but may have special considerations) 11
  • 12. © 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com Vendors May Have Access to PHI  Vendors • Third party administrator • IT service vendors • Storage facilities • Cloud vendors • On-site medical clinics 12
  • 13. © 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com Privacy Risks  The “rogue employee” • Someone accesses and using information in a way not permitted under the Privacy Rule, or other laws.  A Vendor’s rogue employee  A Vendor’s use of the data • what contractual rights did they reserve? 13
  • 14. © 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com Rogue Employee  Walgreen Case (in Indiana) • Pharmacist viewed prescription records of a customer • Customer’s ex-boyfriend tells customer he has a print out of her records • Two years later customer finds out the ex-boyfriend is now married to Walgreen pharmacist • Pharmacist maintains she looked at customer’s record but never shared it • Customer files litigation • Trial ensues and jury delivers verdict $1.4 million for plaintiff 14
  • 15. © 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com Rogue employee  Court held, and appellate court upheld • Employer responsible for acts of employee when conduct is within scope of employment o Within scope -- “incidental to job duties or originated in activities closely associated with job • As a result Walgreen and individual defendants are jointly liable for $1.4 million 15
  • 16. © 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com Privacy Gaining More Interest  Recent Letter from Senator Al Franken related to employees use of information provided to organization • Letter request asks for information related to o Steps taken to limit access to data by employees o Training provided to employees o Monitoring processes o Disciplinary policies 16
  • 17. © 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com Other Employee Situations  The helper (shares information to “help”)  The deflector (uses privacy to deflect from the other issue)  The criminal (steals information to sell)  The case builder (takes information to “bolster” claims) 17
  • 18. © 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com Managing Employee Risk?  Training  Auditing  Disciplinary actions  Top down focus on privacy and security  Clear policies 18
  • 19. © 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com Privacy Risks  The “rogue employee” • Someone accesses and using information in a way not permitted under the Privacy Rule, or other laws.  A Vendor’s rogue employee  A Vendor’s use of the data • what contractual rights did they reserve? 19
  • 20. © 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com Managing Vendor Risk  Dealing with reputable vendors  Strong contract language that • Protects data rights (may even want to protect data rights of de-identified data) • Limits use of data by vendor 20
  • 21. © 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com Security Risks  Breach of information  Breach can occur through • Hacking • Lost device • Errant email • Lost mail or package 21
  • 22. © 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com Sample of Security Breach Affecting Employees  Sony Breach - Class Action Suit already filed • Plaintiffs (former employees) allege that the following information was affected by the breach: o A Microsoft Excel document that contains the name, location, employee ID, network username, base salary and date of birth for more than 6,800 people; o A status report from April 2014 listing the names, dates of birth, Social Security numbers and health savings account data on more than 700 Sony employees; and o A file that appears to be the product of an internal audit from PriceWaterhouseCoopers, made up of screen shots of dozens of employees’ federal tax records and other compensation data. 22
  • 23. © 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com Managing Security Risks  Strong IT and Security Controls  Audits  Scans  Risk Assessments  “Dummy” calls 23
  • 24. © 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com Managing Vendor Risk?  Strong contracts • Responsibility for breaches • What happens to data when contract is terminated  Diligence on vendors • How do you safeguard employee information? • Have you had any reportable breaches? • Do you have an incident response policy? • Do you store information or do you use a vendor to do so?  How do you assess the responses? 24
  • 25. © 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com Cloud Vendor Special Issues  Limited negotiation power (“we don’t negotiate our agreements”)  May be reluctant to impart details related to security posture (which may be a good sign)  May charge “a la carte” fees for additional security measures (e.g., pay for meeting obligations of BA agreement) 25
  • 26. © 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com Business Associate Agreements  Vendors that use, disclose, or maintain PHI should have a business associate agreement with the plan  Business Associate Agreement should have provisions required by regulation  Other provisions • De-identification (some vendors include data rights provisions in de- identification provisions) • Data aggregation (some vendors craft broad aggregation rights into this provision) • Protection in the event of a security breach (indemnification, insurance, other language) • Disclaimer of agency 26
  • 27. © 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com Compliance Tips  Training  Monitoring  Have a Fulsome Complaint Process  Don’t ignore issues (mitigate)  Get the full story 27
  • 28. © 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com Other Areas of Focus for Privacy/Security  Mobile Devices • Phones, Tablets, Laptops o Screen locks o Encryption o Selected Models o Limit Storage o Limit activities?  Social Media (Twitter, Facebook, etc. etc)  Strong policy, but aware of laws 28
  • 29. © 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com HIPAA Civil Penalties 29 Violation Category Each violation All such violations of an identical provision in a calendar year (A) Did Not Know $100–$50,000 $1,500,000 (B) Reasonable Cause $1,000–50,000 $1,500,000 (C)(i) Willful Neglect-Corrected $10,000–50,000 $1,500,000 (C)(ii) Willful Neglect-Not Corrected $50,000 1,500,000 $1,500,000 Criminal Penalties Can Also Apply
  • 30. © 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com Questions? 30