Startups operating in the health IT sector have a legal obligation to safeguard health records in their custody and ensure that they are securely retained and transferred.
Complying with the industry privacy laws can be daunting. In many cases, it can pose a barrier to entry for startups.
Whether you are new to the sector or want to deepen your understanding of the laws, we can help. A question-and-answer period will follow the main presentation.
HIPAA and FDCPA Compliance for Process ServersLawgical
Process servers may not realize the effects HIPAA and FDCPA can have on their businesses. This slideshow, put together by Steve Glenn (PSACO President and NAPPS 1st Vice President) outlines the ways in which process servers are affected.
The Health Insurance Portability and Accountability Act (HIPAA) was created primarily to modernize the flow of healthcare information, stipulate how Personally Identifiable Information maintained by the healthcare and healthcare insurance industries should be protected from fraud and theft, and address limitations on healthcare insurance coverage – such as portability and the coverage of individuals with pre-existing conditions.
https://www.hipaajournal.com/hipaa-training-requirements/
This presentation is regarding the rules in hipaa that are implemented by HHS followed by information regarding PHI(protected health information) and MNS(minimum necessary standards)in hipaa ; and how hipaa regulations followed during clinical trials
HIPAA and FDCPA Compliance for Process ServersLawgical
Process servers may not realize the effects HIPAA and FDCPA can have on their businesses. This slideshow, put together by Steve Glenn (PSACO President and NAPPS 1st Vice President) outlines the ways in which process servers are affected.
The Health Insurance Portability and Accountability Act (HIPAA) was created primarily to modernize the flow of healthcare information, stipulate how Personally Identifiable Information maintained by the healthcare and healthcare insurance industries should be protected from fraud and theft, and address limitations on healthcare insurance coverage – such as portability and the coverage of individuals with pre-existing conditions.
https://www.hipaajournal.com/hipaa-training-requirements/
This presentation is regarding the rules in hipaa that are implemented by HHS followed by information regarding PHI(protected health information) and MNS(minimum necessary standards)in hipaa ; and how hipaa regulations followed during clinical trials
The new HIPAA Omnibus rule becomes/became effective on September 23, 2013. The consequences for violation are significant. Do you know how to handle a HIPAA breach?
This webinar focuses on what you need to do in the event of a HIPAA breach including:
• Mandatory notices to patients
• Notification to governmental agencies
• Getting your own “house in order” as the government will be requesting policies, training logs, etc.
• What to do when social security numbers are disclosed
• Should you get insurance for HIPAA breaches
• Should you offer credit monitoring for impacted patients
Panelists:
Claudia Hinrichsen, The Health Law Partners
Bob Grant, The Compliancy Group
Moderator:
Marc Haskelson, President, The Compliancy Group LLC.
This slideshow provides a brief overview of the basics of HIPAA. Viewers receive a walkthrough of its' core fundamentals. This represents Part 1 of 3 in a series that educate primary care providers on achieving HIPAA compliance.
Health Insurance Portability and Accountability Act (HIPPA) - KloudlearnKloudLearn
HIPPA or Health Insurance Portability and Accountability Act is a United States Legislation that offers data privacy and security provisions for securing confidential and sensitive medical information.
While this presentation offers a rudimentary understanding of HIPAA as it relates to PHRs, its primary objective is to highlight key aspects of PHR privacy policies provided by non-covered entities (Microsoft & Google) and argue that HIPAA, after significant amendments, should be extended to them.
Developers building healthcare applications for mobile devices, wearables and the desktop need to understand HIPAA requirements in order to build apps that are in compliance. This deck gives application developers an overview of the HIPAA rules and what it means for their software development.
The new HIPAA Omnibus rule becomes/became effective on September 23, 2013. The consequences for violation are significant. Do you know how to handle a HIPAA breach?
This webinar focuses on what you need to do in the event of a HIPAA breach including:
• Mandatory notices to patients
• Notification to governmental agencies
• Getting your own “house in order” as the government will be requesting policies, training logs, etc.
• What to do when social security numbers are disclosed
• Should you get insurance for HIPAA breaches
• Should you offer credit monitoring for impacted patients
Panelists:
Claudia Hinrichsen, The Health Law Partners
Bob Grant, The Compliancy Group
Moderator:
Marc Haskelson, President, The Compliancy Group LLC.
This slideshow provides a brief overview of the basics of HIPAA. Viewers receive a walkthrough of its' core fundamentals. This represents Part 1 of 3 in a series that educate primary care providers on achieving HIPAA compliance.
Health Insurance Portability and Accountability Act (HIPPA) - KloudlearnKloudLearn
HIPPA or Health Insurance Portability and Accountability Act is a United States Legislation that offers data privacy and security provisions for securing confidential and sensitive medical information.
While this presentation offers a rudimentary understanding of HIPAA as it relates to PHRs, its primary objective is to highlight key aspects of PHR privacy policies provided by non-covered entities (Microsoft & Google) and argue that HIPAA, after significant amendments, should be extended to them.
Developers building healthcare applications for mobile devices, wearables and the desktop need to understand HIPAA requirements in order to build apps that are in compliance. This deck gives application developers an overview of the HIPAA rules and what it means for their software development.
Inilah pitch deck dari raksasa media digital, Buzzfeed. Bagi kamu yang memiliki model bisnis yang serupa dengan BuzzFeed, mungkin kamu dapat terinspirasi dari pitch deck ini.
This was our final Series A deck. Read more about raising the round in this blog post:
https://medium.com/@DanielleMorrill/welcome-brad-feld-to-the-mattermark-team-announcing-our-6-5m-series-a-dd9532fc1b39
More startup pitch deck examples here: https://attach.io/startup-pitch-decks/
AirBnb's original pitch deck from 2008. They closed a $600k seed round with this deck.
The investor presentation we used to raise 2 million dollarsMikael Cho
The investor presentation we used to raise 2 million dollars for ooomf.com (now pickcrew.com)
View the online version here: https://pickcrew.com/investors/
The slide deck we used to raise half a million dollarsBuffer
This is the pitchdeck we used to raise half a million dollars from Angel investors. More here:
http://onstartups.com/tabid/3339/bid/98034/The-Pitch-Deck-We-Used-To-Raise-500-000-For-Our-Startup.aspx
This presentation discusses how to comply with HIPAA and HITECH privacy laws. Learn key terms such as Protected Health Information, the Privacy Rule and the Security Rule as well as major changes brought by HIPAA and HITECH.
Health Insurance Portability & Accountability Act (HIPAA)Arpitha Aarushi
This presentation contains all the information about the HIPAA, the Privacy rule and its clinical significance. It also contains the information about the violation of the HIPAA policy.
This educational webinar reviews all of the requirements that an employer must meet to comply with HIPAA Privacy.
The webinar covers the following topics:
• What health information must be protected by the employer
• What steps an employer must take to comply (forms and procedures)
• What penalties will be imposed by the federal government if an employer does not comply
• What steps an employer must take if any information is disclosed improperly
• What agreements must be in place for an employer's outside vendors to comply
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the Secretary of the U.S. Department of Health and Human Services (HHS) to develop regulations protecting the privacy and security of certain health information.1 To fulfill this requirement, HHS published what are commonly known as the HIPAA Privacy Rule and the HIPAA Security Rule. The Privacy Rule, or Standards for Privacy of Individually Identifiable Health Information, establishes national standards for the protection of certain health information. The Security Standards for the Protection of Electronic Protected Health Information (the Security Rule) establish a national set of security standards for protecting certain health information that is held or transferred in electronic form. The Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations called “covered entities” must put in place to secure individuals’ “electronic protected health information” (e-PHI). Within HHS, the Office for Civil Rights (OCR) has responsibility for enforcing the Privacy and Security Rules with voluntary compliance activities and civil money penalties.
Prior to HIPAA, no generally accepted set of security standards or general requirements for protecting health information existed in the health care industry. At the same time, new technologies were evolving, and the health care industry began to move away from paper processes and rely more heavily on the use of electronic information systems to pay claims, answer eligibility questions, provide health information and conduct a host of other administrative and clinically based functions.
Today, providers are using clinical applications such as computerized physician order entry (CPOE) systems, electronic health records (EHR), and radiology, pharmacy, and laboratory systems. Health plans are providing access to claims and care management, as well as member self-service applications. While this means that the medical workforce can be more mobile and efficient (i.e., physicians can check patient records and test results from wherever they are), the rise in the adoption rate of these technologies increases the potential security risks.
Theera-Ampornpunt N. Health information privacy: Asia's viewpoint. Presented at: Globalizing Asia: Health Law, Governance, and Policy - Issues, Approaches, and Gaps!; 2012 Apr 16-18; Bangkok, Thailand.
Similar to What’s Up eDoc?: A Health IT Privacy Primer (20)
Learn how to grab investors’ attention with great stories. In this session, we discuss how to build and deliver an effective pitch to help you find financing for your venture or to sell your product to customers. We cover the essentials of a strong pitch deck and identify the elements of good communication that successful startups use.
Key topics covered: Pitch deck, storytelling, presenting
Learn how to grab investors’ attention with great stories. In this session, we discuss how to build and deliver an effective pitch to help you find financing for your venture or to sell your product to customers. We cover the essentials of a strong pitch deck and identify the elements of good communication that successful startups use.
Key topics covered: Pitch deck, storytelling, presenting
As an entrepreneur, you need to develop a long-term financing strategy for your business. This session helps you determine what financing approach is right for you.
Key topics covered: bootstrapping, angel investment
As an entrepreneur, you need to develop a long-term financing strategy for your business. This session helps you determine what financing approach is right for you.
Key topics covered: bootstrapping, angel investment
As a startup owner, you can’t afford to be a bad leader. This lecture addresses the fundamentals of steering your company through the four stages of the business cycle until it is self-sustaining. Learn how to inspire others, set clear goals (and stay focused), communicate clearly with your team, and execute your role effectively.
A successful startup requires the best possible talent. Great people are out there, but how do you find them? And how do you make them want to work for you? This session focuses on identifying the positions necessary for your startup to scale, attracting the best talent using limited resources, and making sure you have a plan in place to find the right people for the job.
A successful startup requires the best possible talent. Great people are out there, but how do you find them? And how do you make them want to work for you? This session focuses on identifying the positions necessary for your startup to scale, attracting the best talent using limited resources, and making sure you have a plan in place to find the right people for the job.
A successful startup requires the best possible talent. Great people are out there, but how do you find them? And how do you make them want to work for you? This session focuses on identifying the positions necessary for your startup to scale, attracting the best talent using limited resources, and making sure you have a plan in place to find the right people for the job.
Learn how to build your financial plan from the bottom up. Learn the basics about startup finances, including knowing how to forecast revenue and growth, understanding different types of financial models, and identifying what metrics and milestones you should track.
https://www.marsdd.com/entrepreneurship-101/
Learn how to build your financial plan from the bottom up. Learn the basics about startup finances, including knowing how to forecast revenue and growth, understanding different types of financial models, and identifying what metrics and milestones you should track.
https://www.marsdd.com/entrepreneurship-101/
Learn how to build your financial plan from the bottom up. Learn the basics about startup finances, including knowing how to forecast revenue and growth, understanding different types of financial models, and identifying what metrics and milestones you should track.
https://www.marsdd.com/entrepreneurship-101/
The number one cause of startup death is premature scaling. In this session, we talk about the importance of customer validation and timing in your go-to-market strategy. The most effective growth strategy for your startup will depend on the market in which you operate and the stage of your business, and knowing which lever for growth you can pull. We’ll cover all this and more in Scaling Your Startup.
Key topics: Growth strategy, calculating risk, accessing new markets
The number one cause of startup death is premature scaling. In this session, we talk about the importance of customer validation and timing in your go-to-market strategy. The most effective growth strategy for your startup will depend on the market in which you operate and the stage of your business, and knowing which lever for growth you can pull. We’ll cover all this and more in Scaling Your Startup.
Key topics: Growth strategy, calculating risk, accessing new markets
The number one cause of startup death is premature scaling. In this session, we talk about the importance of customer validation and timing in your go-to-market strategy. The most effective growth strategy for your startup will depend on the market in which you operate and the stage of your business, and knowing which lever for growth you can pull. We’ll cover all this and more in Scaling Your Startup.
Key topics: Growth strategy, calculating risk, accessing new markets
It’s one thing to sell to customers—it’s another to negotiate with business partners, corporate lawyers and investors. In this Entrepreneurship 101 lecture, we discuss the art of the sale in depth and give tips and tricks on how you can succeed when negotiating with various stakeholders.
Key topics covered: Partnerships, corporate agreements and negotiating.
It’s one thing to sell to customers—it’s another to negotiate with business partners, corporate lawyers and investors. In this Entrepreneurship 101 lecture, we discuss the art of the sale in depth and give tips and tricks on how you can succeed when negotiating with various stakeholders.
Key topics covered: Partnerships, corporate agreements and negotiating.
It’s one thing to sell to customers—it’s another to negotiate with business partners, corporate lawyers and investors. In this Entrepreneurship 101 lecture, we discuss the art of the sale in depth and give tips and tricks on how you can succeed when negotiating with various stakeholders.
Key topics covered: Partnerships, corporate agreements and negotiating.
How are you going to sell your product? In this session, we explore sales and the principles of selling value to your customers. We discuss how your sales funnel fits into your overall marketing mix.
Get tips on:
Making sales calls
Closing a sale
Following up with potential customers
We’ll also talk about developing relationships as part of the sales process, using both social and offline examples.
Key topics: Sales funnel, the sales call and social selling.
The Art & Science of Sales: Tips, Tricks & Tools - Entrepreneurship 101MaRS Discovery District
How are you going to sell your product? In this session, we explore sales and the principles of selling value to your customers. We discuss how your sales funnel fits into your overall marketing mix.
Get tips on:
Making sales calls
Closing a sale
Following up with potential customers
We’ll also talk about developing relationships as part of the sales process, using both social and offline examples.
Key topics: Sales funnel, the sales call and social selling.
How are you going to sell your product? In this session, we explore sales and the principles of selling value to your customers. We discuss how your sales funnel fits into your overall marketing mix.
Get tips on:
Making sales calls
Closing a sale
Following up with potential customers
We’ll also talk about developing relationships as part of the sales process, using both social and offline examples.
Key topics: Sales funnel, the sales call and social selling.
Affordable Stationery Printing Services in Jaipur | Navpack n PrintNavpack & Print
Looking for professional printing services in Jaipur? Navpack n Print offers high-quality and affordable stationery printing for all your business needs. Stand out with custom stationery designs and fast turnaround times. Contact us today for a quote!
Digital Transformation and IT Strategy Toolkit and TemplatesAurelien Domont, MBA
This Digital Transformation and IT Strategy Toolkit was created by ex-McKinsey, Deloitte and BCG Management Consultants, after more than 5,000 hours of work. It is considered the world's best & most comprehensive Digital Transformation and IT Strategy Toolkit. It includes all the Frameworks, Best Practices & Templates required to successfully undertake the Digital Transformation of your organization and define a robust IT Strategy.
Editable Toolkit to help you reuse our content: 700 Powerpoint slides | 35 Excel sheets | 84 minutes of Video training
This PowerPoint presentation is only a small preview of our Toolkits. For more details, visit www.domontconsulting.com
VAT Registration Outlined In UAE: Benefits and Requirementsuae taxgpt
Vat Registration is a legal obligation for businesses meeting the threshold requirement, helping companies avoid fines and ramifications. Contact now!
https://viralsocialtrends.com/vat-registration-outlined-in-uae/
Building Your Employer Brand with Social MediaLuanWise
Presented at The Global HR Summit, 6th June 2024
In this keynote, Luan Wise will provide invaluable insights to elevate your employer brand on social media platforms including LinkedIn, Facebook, Instagram, X (formerly Twitter) and TikTok. You'll learn how compelling content can authentically showcase your company culture, values, and employee experiences to support your talent acquisition and retention objectives. Additionally, you'll understand the power of employee advocacy to amplify reach and engagement – helping to position your organization as an employer of choice in today's competitive talent landscape.
Company Valuation webinar series - Tuesday, 4 June 2024FelixPerez547899
This session provided an update as to the latest valuation data in the UK and then delved into a discussion on the upcoming election and the impacts on valuation. We finished, as always with a Q&A
An introduction to the cryptocurrency investment platform Binance Savings.Any kyc Account
Learn how to use Binance Savings to expand your bitcoin holdings. Discover how to maximize your earnings on one of the most reliable cryptocurrency exchange platforms, as well as how to earn interest on your cryptocurrency holdings and the various savings choices available.
Buy Verified PayPal Account | Buy Google 5 Star Reviewsusawebmarket
Buy Verified PayPal Account
Looking to buy verified PayPal accounts? Discover 7 expert tips for safely purchasing a verified PayPal account in 2024. Ensure security and reliability for your transactions.
PayPal Services Features-
🟢 Email Access
🟢 Bank Added
🟢 Card Verified
🟢 Full SSN Provided
🟢 Phone Number Access
🟢 Driving License Copy
🟢 Fasted Delivery
Client Satisfaction is Our First priority. Our services is very appropriate to buy. We assume that the first-rate way to purchase our offerings is to order on the website. If you have any worry in our cooperation usually You can order us on Skype or Telegram.
24/7 Hours Reply/Please Contact
usawebmarketEmail: support@usawebmarket.com
Skype: usawebmarket
Telegram: @usawebmarket
WhatsApp: +1(218) 203-5951
USA WEB MARKET is the Best Verified PayPal, Payoneer, Cash App, Skrill, Neteller, Stripe Account and SEO, SMM Service provider.100%Satisfection granted.100% replacement Granted.
[Note: This is a partial preview. To download this presentation, visit:
https://www.oeconsulting.com.sg/training-presentations]
Sustainability has become an increasingly critical topic as the world recognizes the need to protect our planet and its resources for future generations. Sustainability means meeting our current needs without compromising the ability of future generations to meet theirs. It involves long-term planning and consideration of the consequences of our actions. The goal is to create strategies that ensure the long-term viability of People, Planet, and Profit.
Leading companies such as Nike, Toyota, and Siemens are prioritizing sustainable innovation in their business models, setting an example for others to follow. In this Sustainability training presentation, you will learn key concepts, principles, and practices of sustainability applicable across industries. This training aims to create awareness and educate employees, senior executives, consultants, and other key stakeholders, including investors, policymakers, and supply chain partners, on the importance and implementation of sustainability.
LEARNING OBJECTIVES
1. Develop a comprehensive understanding of the fundamental principles and concepts that form the foundation of sustainability within corporate environments.
2. Explore the sustainability implementation model, focusing on effective measures and reporting strategies to track and communicate sustainability efforts.
3. Identify and define best practices and critical success factors essential for achieving sustainability goals within organizations.
CONTENTS
1. Introduction and Key Concepts of Sustainability
2. Principles and Practices of Sustainability
3. Measures and Reporting in Sustainability
4. Sustainability Implementation & Best Practices
To download the complete presentation, visit: https://www.oeconsulting.com.sg/training-presentations
In the Adani-Hindenburg case, what is SEBI investigating.pptxAdani case
Adani SEBI investigation revealed that the latter had sought information from five foreign jurisdictions concerning the holdings of the firm’s foreign portfolio investors (FPIs) in relation to the alleged violations of the MPS Regulations. Nevertheless, the economic interest of the twelve FPIs based in tax haven jurisdictions still needs to be determined. The Adani Group firms classed these FPIs as public shareholders. According to Hindenburg, FPIs were used to get around regulatory standards.
Kseniya Leshchenko: Shared development support service model as the way to ma...Lviv Startup Club
Kseniya Leshchenko: Shared development support service model as the way to make small projects with small budgets profitable for the company (UA)
Kyiv PMDay 2024 Summer
Website – www.pmday.org
Youtube – https://www.youtube.com/startuplviv
FB – https://www.facebook.com/pmdayconference
4. What is PIPEDA?
4
The Personal Information Protection and Electronic Documents Act
(PIPEDA) is federal legislation in Canada which came into force in
2004.
PIPEDA protects the collection, use or disclosure of personal
information in:
• Private sector organizations which collect the information in the
course of commercial activities; and
• Federal works, undertakings and businesses in respect of
employee personal information.
5. What does PIPEDA govern?
5
PIPEDA applies across the country but for private companies that
primarily operate in a single province, PIPEDA will not apply where the
province has already enacted similar provisions to PIPEDA and the
business fits within the scope of the provincial legislation.
These provinces are:
• British Columbia (Personal Information Act);
• Alberta (Personal Information Protection Act);
• Quebec (An Act Respecting the Protection of Personal Information
in the Private Sector);
• Ontario (Personal Health Information Protection Act);
• New Brunswick (Personal Health Information Privacy and Access
Act); and
• Newfoundland and Labrador (Personal Health Information Act).
6. Duties under PIPEDA
6
PIPEDA contains a series of principles which govern the collection and
use of personal data:
1. Accountability
2. Identifying Purposes
3. Consent
4. Limiting Collection
5. Limiting Use, Disclosure and Retention
6. Accuracy
7. Safeguards
8. Openness
9. Individual Access
10. Challenging Compliance
7. Good practices under PIPEDA
7
1. Accountability: Designate an individual within the organization who is
responsible for managing and responding to privacy issues related to the
organization’s operations.
2. Identifying Purposes: Develop a plan which identifies what personal
information you need and explicitly link that information with the purpose for
which it will be used.
3. Consent: Obtain consent from individuals before their information is
collected – explain how the information will be used and disclosed.
4. Limiting Collection: Limit collection of data to only that which is necessary
for the identified purposes.
8. Good practices under PIPEDA
8
5. Limiting Use, Disclosure, and Retention: Only use or disclose information
for identified purposes, and do not retain information for any longer than is
necessary to satisfy those purposes. Dispose of personal information in a
way that prevents privacy breach.
6. Accuracy: Ensure information is accurate, complete and up to date as is
necessary in the interests of the purpose for which the information was
collected and the interests of the individual.
7. Safeguards: Ensure an adequate security policy is in place to protect
information, and that appropriate safeguards are in place.
8. Openness: Staff should be trained to respond to individual inquiries.
9. Individual Access: Provide individuals with access to their information
where appropriate.
10. Challenging Compliance: Provide recourse against complaints about the
organization’s compliance with the above principles.
9. Privacy Toolkit
A Guide for Businesses and Organizations
Canada's Personal Information Protection and Electronic Documents Act
https://www.priv.gc.ca/information/pub/guide_org_e.pdf
9
Recommended Reading
10. PIPEDA and Digital Health
10
PIPEDA does not impose special obligations on digital health
companies.
Under s. 30(1.1), the Act states that the duties imposed on the use of
personal information in the private sector:
…does not apply to any organization in respect of personal health
information that it collects, uses or discloses within a province …
unless the organization … discloses the information outside
the province … .
KEY QUESTION – What is “personal health information”?
12. What is PHIPA?
12
The Personal Health Information Protection Act (PHIPA) is Ontario legislation
which came into force in 2004.
Its purpose, as per s. 1 of the Act, is to:
• establish rules for the collection, use and disclosure of personal health
information;
• provide individuals with a right of access to personal health information
about themselves;
• provide individuals with a right to require the correction or amendment of
personal health information about themselves;
• provide for independent review and resolution of complaints with respect
to personal health information; and
• to provide effective remedies for contraventions of this Act.
13. What does PHIPA govern?
13
PHIPA applies to the collection, use and disclosure of personal health
information by health information custodians (whether or not in the
course of commercial activities).
14. PHIPA – Key Definitions
14
“Personal health information” is “identifying” information collected about an
individual, whether oral or recorded if the information:
• relates to the physical or mental health of the individual, including information
that consists of the individual’s family health history,
• relates to the providing of health care to the individual, including the identification
of a person as a provider of health care to the individual
• is a plan of service within the meaning of the Long-Term Care Act, 1994 of the
individual,
• relates to payments or eligibility for health care in respect of the individual,
• relates to the donation by the individual of any body part or bodily substance, or
is derived from testing of such body part or substance,
• is the individual’s health number, or
• identifies the individual’s substitute decision-maker: s. 4(1).
15. PHIPA – Key Definitions cont.
15
Information is “identifying” when it identifies an individual or when it is reasonably
foreseeable in the circumstances that it could be utilized, either alone or with other
information, to identify the individual. It is not necessary for the individual to be
actually named for the information to be considered personal health information.
Generally, “personal health information” does not include identifying information
held by health information custodians as employers, i.e. personal health
information relating to an employee maintained primarily for a purpose other than
the provision of health care to the employee.
16. “Health Information Custodians” are persons or organizations who have custody or
control of personal health information such as primary health care providers and
related services, including:
- health care practitioners
- community care service providers
- Hospitals
- long-term care homes
- Pharmacies
- retirement homes
- medical officers, etc.
16
PHIPA – Key Definitions cont.
17. Are you an “agent” of a custodian?
You are considered to be an agent if, with respect to personal health
information:
• you are authorized to act on behalf of a custodian; and
• you perform activities for the purposes of a custodian rather than your own
purposes;
• whether or not you have the authority to bind the custodian;
• whether or not you are employed by the custodian; and
• whether or not you are receiving remuneration.
17
PHIPA – Key Definitions cont.
18. PHIPA – Key Definitions cont.
18
Service Providers and Health Information Network Provider
If you are not an agent of the custodian, but provide goods or services that enable
the custodian to use electronic means to collect, use, modify, disclose, retain or
dispose of personal health information, you are a service provider and must
comply with certain restrictions on the use and disclosure of that information that
are set out in the regulations that accompany PHIPA
IF you perform services for multiple Health Information Custodians, the service
provider is called a Health Information Network Provider
19. Recipient
PHIPA applies to the use and disclosure of personal health information by persons
who receive the information from a Health Information Custodian.
For example, an insurance company that receives personal health information
from a hospital is a Recipient.
If I submit the same information to the insurance company, it is not considered
personal health information because I am not a health information custodian.
19
PHIPA – Key Definitions cont.
20. Applicability of Statutes
20
PHIPA applies to everyone regarding the collection, use or disclosure of OHIP
numbers.
PIPEDA will apply to collections, uses and disclosures of personal information by
health information custodians outside Ontario in the course of commercial
activities. For example, PIPEDA will apply to the disclosure of personal information
by health information custodians in Ontario to persons in other provinces when
done in the course of commercial activities
21. Duties under PHIPA
21
PHIPA includes a wide variety of duties, which are very similar to the obligations
under PIPEDA. Examples of duties under PHIPA include:
• Minimum - collect only the information you need to do the job
• Knowledgeable consent – except in specific circumstances where the law
authorizes healthcare providers to collect, use or share a person’s information
without consent (such as reporting for public health safety), consent must be
obtained before information is collected, used or disclosed, consent can be
express or implied;
• Accuracy – a duty to take reasonable steps to ensure information collected is
accurate, complete and up-to-date as necessary in relation to the purpose for
which it was collected;
22. Duties under PHIPA
• Security – a duty to take reasonable steps to ensure that personal health
information is protected against theft, loss and unauthorized use or disclosure;
and
• Accountability – a duty to ensure there is an ultimately responsible person at the
company who ensures compliance with the Act.
• Policy - provide a written description of the practices you use to protect
information, and the name of the person to contact if someone has a question or
concern about their personal health record.
22
Duties under PHIPA cont.
23. Duties under PHIPA
Regarding Policy and Related Practices:
• Health Information Custodians must take steps that are reasonable in the
circumstances to ensure that Personal Health Information in the custodian’s
custody or control is protected against theft, loss and unauthorized use or
disclosure.
• Health Information Custodians must take similar steps to ensure that the records
containing the information are protected against unauthorized copying,
modification or disposal.
• An Agent is required to notify the Health Information Custodian at the first
reasonable opportunity if Personal Health Information handled by the Agent on
behalf of the custodian is stolen, lost or accessed by unauthorized persons
23
Duties under PHIPA cont.
24. Duties under PHIPA
A developer from Ontario developed an app that collects an Ontario user’s heart
rate in combination with the band from the user’s watch and the information is
stored on a server in Ontario. The user purchased the app from an app store.
The heart rate is “personal health information” as defined by PHIPA.
QUESTIONS
1. Is the app developer a “health information custodian”?
2. Is the app developer an “agent” of a health information custodian?
3. Is the app developer a “service provider” or “health information network
provider” to a health information custodian?
4. What if the app developer is a person who supplies services for the purpose of
enabling an Ontario doctor or hospital to collect and use personal health
information? What if the doctor or hospital is from Alberta? New York?
5. What if the app was purchased and used by an end user in New York?
24
Hypothetical Questions
25. ANSWERS:
1. The developer does not fall within the definition of health information custodian.
2. The developer is not an agent because the developer is not authorized by a
health information custodian but by the user who purchased the app.
3. The developer is providing a service to the user of the app and not a health
information custodian so the developer is not a service provider or health
information network provider.
4. Seems like the developer is a service provider to the Ontario doctor/hospital,
but would want more information to confirm. If it was a doctor/hospital in
Alberta, PIPEDA might apply as it is interprovincial. If it was a doctor/hospital in
California, PIPEDA might apply to the developer as it is international, but US
laws may apply as well.
5. PIPEDA might apply as the commercial activity of buying the app would be an
international transaction.
25
Hypothetical Answers
26. Contact:
Stephen Whitney
Of Counsel
Norton Rose Fulbright Canada LLP / S.E.N.C.R.L., s.r.l.
51 Breithaupt Street, Suite 100
Kitchener, Ontario N2H 5G5 Canada
Royal Bank Plaza, South Tower, Suite 3800
200 Bay Street, P.O. Box 84, Toronto, ON M5J 2Z4 Canada
T: +1 226.868.9125
stephen.whitney@nortonrosefulbright.com
26
27.
28. Disclaimer
Norton Rose Fulbright LLP, Norton Rose Fulbright Australia, Norton Rose Fulbright Canada LLP, Norton Rose Fulbright South Africa (incorporated as Deneys Reitz Inc) and Fulbright & Jaworski LLP,
each of which is a separate legal entity, are members (‘the Norton Rose Fulbright members’) of Norton Rose Fulbright Verein, a Swiss Verein. Norton Rose Fulbright Verein helps coordinate the
activities of the Norton Rose Fulbright members but does not itself provide legal services to clients.
References to ‘Norton Rose Fulbright’, ‘the law firm’, and ‘legal practice’ are to one or more of the Norton Rose Fulbright members or to one of their respective affiliates (together ‘Norton Rose
Fulbright entity/entities’). No individual who is a member, partner, shareholder, director, employee or consultant of, in or to any Norton Rose Fulbright entity (whether or not such individual is
described as a ‘partner’) accepts or assumes responsibility, or has any liability, to any person in respect of this communication. Any reference to a partner or director is to a member, employee or
consultant with equivalent standing and qualifications of the relevant Norton Rose Fulbright entity.
The purpose of this communication is to provide information as to developments in the law. It does not contain a full analysis of the law nor does it constitute an opinion of any Norton Rose Fulbright
entity on the points of law discussed. You must take specific legal advice on any particular matter which concerns you. If you require any advice or further information, please speak to your usual
contact at Norton Rose Fulbright.
28
29. What’s up eDoc?: A Privacy Primer for
Health IT at MaRS
HIPAA and State Laws
Kimberly J. Gold
September 30, 2015
30. Bio
Kimberly Gold is a Senior Associate in Norton Rose Fulbright's New York Office. Her practice focuses on
healthcare transactions, regulatory compliance, and privacy and security matters.
Kimberly has extensive experience in the areas of privacy, information security, cybersecurity and information
management. She regularly advises clients on matters involving privacy and security of patient information
under HIPAA and state laws. She also represents clients in the health information technology area and has
counseled pharmaceutical and mobile app companies on privacy and FDA regulatory issues.
Kimberly is currently working on-site with the Global Privacy Office of a global pharmaceutical company on
various legal matters, including negotiating vendor agreements, providing advice on marketing and clinical trial
initiatives, and developing privacy notices, consent documents, and internal policies.
Kimberly's transactional experience includes mergers and acquisitions, joint ventures, and affiliations of
hospitals, group practices and other provider entities. She also represents not-for-profit and tax-exempt
organizations on a broad range of matters, and regularly advises clients on issues relating to accreditation by
the Accreditation Council for Graduate Medical Education (ACGME) and the Liaison Committee on Medical
Education (LCME).
Kimberly is a frequent writer and speaker on privacy and health care issues. She has appeared before the
American Bar Association, American Health Lawyers Association and New York State Bar Association,
speaking on topics such as health information technology, HIPAA compliance, and data breaches. Kimberly
also has written articles about breach notification requirements and state privacy laws for national publications,
including the American Journal of Health-System Pharmacy and HCCA Compliance Today.
Kimberly is a Certified Information Privacy Professional (CIPP/US) through the International Association of
Privacy Professionals.
30
Kimberly Gold
Senior Associate
Norton Rose Fulbright
New York
+1 212 318 3103
kimberly.gold@nortonrosefulbright.com
31. Agenda
• Overview of HIPAA
• Terms and Definitions
• Protected Health Information (PHI)
• Covered Entity
• Business Associate
• Core Privacy and Security Requirements
• Business Associate obligations
31
32. What is HIPAA?
HIPAA Security Rule establishes standards for protection of PHI
32
HIPAA Privacy Rule defines and limits circumstances in which
protected health information (PHI) can be used and disclosed
Consists of the Privacy Rule and Security Rule.
A law enacted by U.S. Congress in 1996
33. What is HIPAA (cont’d)?
• In general, HIPAA permits
covered entities to use and
disclose protected health
information for their own
treatment, payment and health
care operations purposes.
• Specific patient authorization is
required for use/disclosure for
other purposes.
33
34. Three Subsets of the HIPAA Rules
Enforcement Rule
• Compliance & Enforcement
• Civil Monetary Penalties
Security Rule
• Administrative, Physical and Technical Safeguards
• Breach Notification
Privacy Rule
• Uses and Disclosures of PHI
• Requirements for interacting with patients
34
35. What is HITECH?
• The Health Information Technology
for Economic and Clinical Health
Act (HITECH) was passed in 2009
as part of the American Recovery
and Reinvestment Act (ARRA), the
“stimulus bill.”
• US $20 billion+ in incentives to
encourage doctors and hospitals
to use HIT
• Recently updated provisions apply
to digital data.
35
36. HIPAA Omnibus Rule – 2013 Updates
• Important changes:
• Business Associates
• PHI Storage
• HITECH Breaches
• Penalties & enforcements
36
37. What is a HIPAA Covered Entity?
• Covered Entities:
• Health Care Providers
• Health Care Clearinghouses
• Health Plans
• Business Associates of 1-3 above
…That perform electronic transactions covered by HIPAA.
37
38. What is Protected Health Information (PHI)?
• Protected Health Information (PHI):
Medical records or other health
information that:
• Identifies an individual
• Could be used to identify an
individual
• Created or received by a HIPAA
covered entity
38
39. Protected Heath Information - Identifiers
39
• Name
• Social Security Number
• Driver’s License or other government-
issued identification number
• Telephone/Fax Number
• Email Address
• Geographic Subdivision Smaller Than
States (such as street address, city,
county, and 5-digit ZIP code)
• Certificate/License Number
• Financial Account Number (such as
bank accounts and payment card
accounts)
• Medical Record Number
• Health Plan Beneficiary Number
• IP Address
• URL
• Dates Directly Related to Individuals
(such as date of birth, date of death,
admission and discharge date, and
any age over 89)
• Biometric Identifiers (including
fingerprints and voice prints)
• Device Identifiers
• Vehicle Identifiers and Serial Numbers
(including license plate numbers)
• Full-face Photographs (or comparable
images)
• Other individually identifiable code or
number
40. De-identified information
• PHI may be de-identified by removing all details that could
reasonably be used to identify an individual.
• De-identification can be accomplished by:
• Removing all individually identifiable information listed above; or
• Acquiring certification from a qualified statistician that
information cannot be re-identified.
• Vendors may seem to use de-identified information for own
purposes. The data may be used for comparative
effectiveness studies, policy assessments, and other
endeavors.
40
41. What is a Business Associate?
• A person or entity that performs or assists a covered entity with
functions that involve the use or disclosure of protected health
information.
• Examples:
– Cloud vendors
– Providers of data transmission services
– Subcontractors of Business Associates
• HIPAA requires covered entities to enter into agreements with
Business Associates, called Business Associate Agreements.
• Covered entities can be held liable for HIPAA violations by
Business Associates in some cases.
• Where a vendor is acting as a Business Associate, the vendor is
directly liable for compliance with many aspects of the Privacy rule,
and all of the Security Rule.
41
42. Are you a Business Associate?
• In the course of business, is PHI:
• Created
• Received
• Maintained
• Transmitted
• For or on behalf of a covered entity?
42
Are you
a BA?
43. What are Business Associates Liable for?
• HITECH breaches
• Failure to provide breach notification to the covered entity
• Failure to provide electronic access to PHI
• When requested by the individual
• When requested by the Covered Entity
• Failure to provide an accounting of disclosures
• …and more
• PLUS, contractual liability for breaches of Business
Associate Agreements
• BAAs contain terms and conditions for access and use
of PHI.
43
44. Is Patient Data Secure on the Cloud?
• When electronic PHI (ePHI) is stored/
maintained in the cloud:
• Healthcare Providers/Covered Entities
are “disclosing it” to the cloud vendor
• Cloud vendor becomes a business
associate
• Cloud vendor must comply with HIPAA
and HITECH provisions
• Challenges when cloud provider does
not know what data it is maintaining
44
45. The HIPAA Security Rule
• Establishes safeguards to ensure
the confidentiality, integrity and
security of ePHI
• Administrative safeguards
• Physical safeguards
• Technical safeguards
45
47. Data Breaches
• A data breach is any acquisition, access, use, or
disclosure of PHI in a manner not permitted by the
HIPAA Privacy Rule, whether internal or external
• Does not have to result in confirmed identity theft
before legal obligations are triggered
47
49. What to do?
• Risk analysis
• Risk management program
• Security official
• Policies & procedures
• Employee training
• Subcontractor BAAs
• Document compliance
• NOTE: No HITECH mandate that data be encrypted.
• But penalties for breaches can be avoided if data is
strongly encrypted.
49
50. HIPAA and Mobile Devices
• HIPAA applies to any mobile device that receives,
transmits, or stores PHI.
• OCR and ONC suggest measures to ensure that
PHI is secure on mobile devices:
• Use a password or other user authentication. You
can also activate a screen lock after the device
has not been used for a period of time.
• Install or enable encryption.
• Install or activate remote wiping and/or disabling.
• Disable or do not use file-shared applications.
• Install or enable firewalls.
• Install or enable security software.
• Keep your security software up to date.
• Research apps before downloading.
• Maintain physical control.
• Use adequate controls when using Wi-Fi.
• Delete all stored PHI before reusing or discarding
a device.
50
51. What happens if I don’t comply with HIPAA?
• Civil and Criminal Penalties
• HITECH Breaches:
• US $50,000 per violation
• US $1.5 million for multiple identical
violations
• No defense based on lack of
knowledge
• Mandatory HITECH audit program
51
52. HITECH Breaches: How Much Will It Cost You?
52
Violation was not known and could
not have been discovered with
reasonable diligence
$1,500,000
Potential Penalty
Per Violation
Degree of
Culpability / “State of
Mind”
Maximum Annual Cap
for All Violations
$1,500,000
$1,500,000
$1,500,000
$100 – $50,000
$1,000 – $50,000
$10,000 – $50,000
$50,000
Reasonable cause for violation, not
due to willful neglect
Violation due to willful neglect, but
corrected in 30 days
Violation due to willful neglect, not
corrected in 30 days
53. HIPAA Violations: Criminal Penalties
53
Violation involving
False Pretenses
$50,000 fine/
1 year imprisonment
Knowing violation
$100,000 fine/
5 years imprisonment
$250,000 fine/
10 years imprisonment
Violation involving intent
to sell, transfer or use
54. OCR Enforcement Results by Year
YEAR NO VIOLATION
RESOLVED AFTER INTAKE
AND REVIEW
CORRECTIVE
ACTION
OBTAINED
TOTAL
RESOLUTIONS
Partial Year 2003 5% 78% 17% 1516
2004 7% 71% 22% 4799
2005 11% 68% 21% 5692
2006 14% 62% 24% 6599
2007 10% 69% 21% 7238
2008 13% 63% 24% 9341
2009 15% 59% 26% 8106
2010 17% 54% 29% 9189
2011 16% 53% 31% 8363
2012 10% 54% 36% 9408
2013 7% 69% 24% 14300
54
55. What We’ve Learned from OCR Resolution Agreements
55
• OCR is monitoring breach notification reports.
• No one is immune from enforcement.
• Heavy emphasis on performance of thorough security risk
analysis and identification of vulnerabilities.
• Having policies and procedures in place is critical…so is
following them.
• Workforce must be trained.
• If devices and equipment aren’t encrypted, you need to
document why.
56. State Laws
• Some state health information laws are stricter than
HIPAA.
– For example, California’s Confidentiality of Medical
Information Act (CMIA).
• A majority of states (47/50) have enacted data breach
notification laws.
56
57.
58. Disclaimer
Norton Rose Fulbright US LLP, Norton Rose Fulbright LLP, Norton Rose Fulbright Australia, Norton Rose Fulbright Canada LLP and Norton Rose Fulbright South Africa Inc are separate legal entities
and all of them are members of Norton Rose Fulbright Verein, a Swiss verein. Norton Rose Fulbright Verein helps coordinate the activities of the members but does not itself provide legal services to
clients.
References to ‘Norton Rose Fulbright’, ‘the law firm’ and ‘legal practice’ are to one or more of the Norton Rose Fulbright members or to one of their respective affiliates (together ‘Norton Rose
Fulbright entity/entities’). No individual who is a member, partner, shareholder, director, employee or consultant of, in or to any Norton Rose Fulbright entity (whether or not such individual is
described as a ‘partner’) accepts or assumes responsibility, or has any liability, to any person in respect of this communication. Any reference to a partner or director is to a member, employee or
consultant with equivalent standing and qualifications of the relevant Norton Rose Fulbright entity.
The purpose of this communication is to provide general information of a legal nature. It does not contain a full analysis of the law nor does it constitute an opinion of any Norton Rose Fulbright
entity on the points of law discussed. You must take specific legal advice on any particular matter which concerns you. If you require any advice or further information, please speak to your usual
contact at Norton Rose Fulbright.
58