SlideShare uma empresa Scribd logo
1 de 58
Baixar para ler offline
1
What’s up eDoc?: A Health IT Privacy Primer at MaRS
Stephen Whitney
Of Counsel
Norton Rose Fulbright Canada LLP
September 30, 2015
3
Agenda
Introduction
PIPEDA
PHIPA
What is PIPEDA?
4
The Personal Information Protection and Electronic Documents Act
(PIPEDA) is federal legislation in Canada which came into force in
2004.
PIPEDA protects the collection, use or disclosure of personal
information in:
•  Private sector organizations which collect the information in the
course of commercial activities; and
•  Federal works, undertakings and businesses in respect of
employee personal information.
What does PIPEDA govern?
5
PIPEDA applies across the country but for private companies that
primarily operate in a single province, PIPEDA will not apply where the
province has already enacted similar provisions to PIPEDA and the
business fits within the scope of the provincial legislation.
These provinces are:
•  British Columbia (Personal Information Act);
•  Alberta (Personal Information Protection Act);
•  Quebec (An Act Respecting the Protection of Personal Information
in the Private Sector);
•  Ontario (Personal Health Information Protection Act);
•  New Brunswick (Personal Health Information Privacy and Access
Act); and
•  Newfoundland and Labrador (Personal Health Information Act).
Duties under PIPEDA
6
PIPEDA contains a series of principles which govern the collection and
use of personal data:
1.  Accountability
2.  Identifying Purposes
3.  Consent
4.  Limiting Collection
5.  Limiting Use, Disclosure and Retention
6.  Accuracy
7.  Safeguards
8.  Openness
9.  Individual Access
10.  Challenging Compliance
Good practices under PIPEDA
7
1.  Accountability: Designate an individual within the organization who is
responsible for managing and responding to privacy issues related to the
organization’s operations.
2.  Identifying Purposes: Develop a plan which identifies what personal
information you need and explicitly link that information with the purpose for
which it will be used.
3.  Consent: Obtain consent from individuals before their information is
collected – explain how the information will be used and disclosed.
4.  Limiting Collection: Limit collection of data to only that which is necessary
for the identified purposes.
Good practices under PIPEDA
8
5.  Limiting Use, Disclosure, and Retention: Only use or disclose information
for identified purposes, and do not retain information for any longer than is
necessary to satisfy those purposes. Dispose of personal information in a
way that prevents privacy breach.
6.  Accuracy: Ensure information is accurate, complete and up to date as is
necessary in the interests of the purpose for which the information was
collected and the interests of the individual.
7.  Safeguards: Ensure an adequate security policy is in place to protect
information, and that appropriate safeguards are in place.
8.  Openness: Staff should be trained to respond to individual inquiries.
9.  Individual Access: Provide individuals with access to their information
where appropriate.
10.  Challenging Compliance: Provide recourse against complaints about the
organization’s compliance with the above principles.
Privacy Toolkit
A Guide for Businesses and Organizations
Canada's Personal Information Protection and Electronic Documents Act
https://www.priv.gc.ca/information/pub/guide_org_e.pdf
9
Recommended Reading
PIPEDA and Digital Health
10
PIPEDA does not impose special obligations on digital health
companies.
Under s. 30(1.1), the Act states that the duties imposed on the use of
personal information in the private sector:
…does not apply to any organization in respect of personal health
information that it collects, uses or discloses within a province …
unless the organization … discloses the information outside
the province … .
KEY QUESTION – What is “personal health information”?
11
Agenda
Introduction
PIPEDA
PHIPA
What is PHIPA?
12
The Personal Health Information Protection Act (PHIPA) is Ontario legislation
which came into force in 2004.
Its purpose, as per s. 1 of the Act, is to:
•  establish rules for the collection, use and disclosure of personal health
information;
•  provide individuals with a right of access to personal health information
about themselves;
•  provide individuals with a right to require the correction or amendment of
personal health information about themselves;
•  provide for independent review and resolution of complaints with respect
to personal health information; and
•  to provide effective remedies for contraventions of this Act.
What does PHIPA govern?
13
PHIPA applies to the collection, use and disclosure of personal health
information by health information custodians (whether or not in the
course of commercial activities).
PHIPA – Key Definitions
14
“Personal health information” is “identifying” information collected about an
individual, whether oral or recorded if the information:
• relates to the physical or mental health of the individual, including information
that consists of the individual’s family health history,
• relates to the providing of health care to the individual, including the identification
of a person as a provider of health care to the individual
• is a plan of service within the meaning of the Long-Term Care Act, 1994 of the
individual,
• relates to payments or eligibility for health care in respect of the individual,
• relates to the donation by the individual of any body part or bodily substance, or
is derived from testing of such body part or substance,
• is the individual’s health number, or
• identifies the individual’s substitute decision-maker: s. 4(1).
PHIPA – Key Definitions cont.
15
Information is “identifying” when it identifies an individual or when it is reasonably
foreseeable in the circumstances that it could be utilized, either alone or with other
information, to identify the individual. It is not necessary for the individual to be
actually named for the information to be considered personal health information.
Generally, “personal health information” does not include identifying information
held by health information custodians as employers, i.e. personal health
information relating to an employee maintained primarily for a purpose other than
the provision of health care to the employee.
“Health Information Custodians” are persons or organizations who have custody or
control of personal health information such as primary health care providers and
related services, including:
-  health care practitioners
-  community care service providers
-  Hospitals
-  long-term care homes
-  Pharmacies
-  retirement homes
-  medical officers, etc.
16
PHIPA – Key Definitions cont.
Are you an “agent” of a custodian?
You are considered to be an agent if, with respect to personal health
information:
• you are authorized to act on behalf of a custodian; and
• you perform activities for the purposes of a custodian rather than your own
purposes;
• whether or not you have the authority to bind the custodian;
• whether or not you are employed by the custodian; and
• whether or not you are receiving remuneration.
17
PHIPA – Key Definitions cont.
PHIPA – Key Definitions cont.
18
Service Providers and Health Information Network Provider
If you are not an agent of the custodian, but provide goods or services that enable
the custodian to use electronic means to collect, use, modify, disclose, retain or
dispose of personal health information, you are a service provider and must
comply with certain restrictions on the use and disclosure of that information that
are set out in the regulations that accompany PHIPA
IF you perform services for multiple Health Information Custodians, the service
provider is called a Health Information Network Provider
Recipient
PHIPA applies to the use and disclosure of personal health information by persons
who receive the information from a Health Information Custodian.
For example, an insurance company that receives personal health information
from a hospital is a Recipient.
If I submit the same information to the insurance company, it is not considered
personal health information because I am not a health information custodian.
19
PHIPA – Key Definitions cont.
Applicability of Statutes
20
PHIPA applies to everyone regarding the collection, use or disclosure of OHIP
numbers.
PIPEDA will apply to collections, uses and disclosures of personal information by
health information custodians outside Ontario in the course of commercial
activities. For example, PIPEDA will apply to the disclosure of personal information
by health information custodians in Ontario to persons in other provinces when
done in the course of commercial activities
Duties under PHIPA
21
PHIPA includes a wide variety of duties, which are very similar to the obligations
under PIPEDA. Examples of duties under PHIPA include:
•  Minimum - collect only the information you need to do the job
•  Knowledgeable consent – except in specific circumstances where the law
authorizes healthcare providers to collect, use or share a person’s information
without consent (such as reporting for public health safety), consent must be
obtained before information is collected, used or disclosed, consent can be
express or implied;
•  Accuracy – a duty to take reasonable steps to ensure information collected is
accurate, complete and up-to-date as necessary in relation to the purpose for
which it was collected;
Duties under PHIPA
•  Security – a duty to take reasonable steps to ensure that personal health
information is protected against theft, loss and unauthorized use or disclosure;
and
•  Accountability – a duty to ensure there is an ultimately responsible person at the
company who ensures compliance with the Act.
•  Policy - provide a written description of the practices you use to protect
information, and the name of the person to contact if someone has a question or
concern about their personal health record.
22
Duties under PHIPA cont.
Duties under PHIPA
Regarding Policy and Related Practices:
•  Health Information Custodians must take steps that are reasonable in the
circumstances to ensure that Personal Health Information in the custodian’s
custody or control is protected against theft, loss and unauthorized use or
disclosure.
•  Health Information Custodians must take similar steps to ensure that the records
containing the information are protected against unauthorized copying,
modification or disposal.
•  An Agent is required to notify the Health Information Custodian at the first
reasonable opportunity if Personal Health Information handled by the Agent on
behalf of the custodian is stolen, lost or accessed by unauthorized persons
23
Duties under PHIPA cont.
Duties under PHIPA
A developer from Ontario developed an app that collects an Ontario user’s heart
rate in combination with the band from the user’s watch and the information is
stored on a server in Ontario. The user purchased the app from an app store.
The heart rate is “personal health information” as defined by PHIPA.
QUESTIONS
1. Is the app developer a “health information custodian”?
2. Is the app developer an “agent” of a health information custodian?
3. Is the app developer a “service provider” or “health information network
provider” to a health information custodian?
4. What if the app developer is a person who supplies services for the purpose of
enabling an Ontario doctor or hospital to collect and use personal health
information? What if the doctor or hospital is from Alberta? New York?
5. What if the app was purchased and used by an end user in New York?
24
Hypothetical Questions
ANSWERS:
1.  The developer does not fall within the definition of health information custodian.
2.  The developer is not an agent because the developer is not authorized by a
health information custodian but by the user who purchased the app.
3.  The developer is providing a service to the user of the app and not a health
information custodian so the developer is not a service provider or health
information network provider.
4.  Seems like the developer is a service provider to the Ontario doctor/hospital,
but would want more information to confirm. If it was a doctor/hospital in
Alberta, PIPEDA might apply as it is interprovincial. If it was a doctor/hospital in
California, PIPEDA might apply to the developer as it is international, but US
laws may apply as well.
5.  PIPEDA might apply as the commercial activity of buying the app would be an
international transaction.
25
Hypothetical Answers
Contact:
Stephen Whitney
Of Counsel
Norton Rose Fulbright Canada LLP / S.E.N.C.R.L., s.r.l.
51 Breithaupt Street, Suite 100
Kitchener, Ontario N2H 5G5 Canada
Royal Bank Plaza, South Tower, Suite 3800
200 Bay Street, P.O. Box 84, Toronto, ON M5J 2Z4 Canada
T: +1 226.868.9125
stephen.whitney@nortonrosefulbright.com
26
What’s Up eDoc?: A Health IT Privacy Primer
Disclaimer
Norton Rose Fulbright LLP, Norton Rose Fulbright Australia, Norton Rose Fulbright Canada LLP, Norton Rose Fulbright South Africa (incorporated as Deneys Reitz Inc) and Fulbright & Jaworski LLP,
each of which is a separate legal entity, are members (‘the Norton Rose Fulbright members’) of Norton Rose Fulbright Verein, a Swiss Verein. Norton Rose Fulbright Verein helps coordinate the
activities of the Norton Rose Fulbright members but does not itself provide legal services to clients.
References to ‘Norton Rose Fulbright’, ‘the law firm’, and ‘legal practice’ are to one or more of the Norton Rose Fulbright members or to one of their respective affiliates (together ‘Norton Rose
Fulbright entity/entities’). No individual who is a member, partner, shareholder, director, employee or consultant of, in or to any Norton Rose Fulbright entity (whether or not such individual is
described as a ‘partner’) accepts or assumes responsibility, or has any liability, to any person in respect of this communication. Any reference to a partner or director is to a member, employee or
consultant with equivalent standing and qualifications of the relevant Norton Rose Fulbright entity.
The purpose of this communication is to provide information as to developments in the law. It does not contain a full analysis of the law nor does it constitute an opinion of any Norton Rose Fulbright
entity on the points of law discussed. You must take specific legal advice on any particular matter which concerns you. If you require any advice or further information, please speak to your usual
contact at Norton Rose Fulbright.
28
What’s up eDoc?: A Privacy Primer for
Health IT at MaRS
HIPAA and State Laws
Kimberly J. Gold
September 30, 2015
Bio
Kimberly Gold is a Senior Associate in Norton Rose Fulbright's New York Office. Her practice focuses on
healthcare transactions, regulatory compliance, and privacy and security matters.
Kimberly has extensive experience in the areas of privacy, information security, cybersecurity and information
management. She regularly advises clients on matters involving privacy and security of patient information
under HIPAA and state laws. She also represents clients in the health information technology area and has
counseled pharmaceutical and mobile app companies on privacy and FDA regulatory issues.
Kimberly is currently working on-site with the Global Privacy Office of a global pharmaceutical company on
various legal matters, including negotiating vendor agreements, providing advice on marketing and clinical trial
initiatives, and developing privacy notices, consent documents, and internal policies.
Kimberly's transactional experience includes mergers and acquisitions, joint ventures, and affiliations of
hospitals, group practices and other provider entities. She also represents not-for-profit and tax-exempt
organizations on a broad range of matters, and regularly advises clients on issues relating to accreditation by
the Accreditation Council for Graduate Medical Education (ACGME) and the Liaison Committee on Medical
Education (LCME).
Kimberly is a frequent writer and speaker on privacy and health care issues. She has appeared before the
American Bar Association, American Health Lawyers Association and New York State Bar Association,
speaking on topics such as health information technology, HIPAA compliance, and data breaches. Kimberly
also has written articles about breach notification requirements and state privacy laws for national publications,
including the American Journal of Health-System Pharmacy and HCCA Compliance Today.
Kimberly is a Certified Information Privacy Professional (CIPP/US) through the International Association of
Privacy Professionals.
30
Kimberly Gold
Senior Associate
Norton Rose Fulbright
New York
+1 212 318 3103
kimberly.gold@nortonrosefulbright.com
Agenda
• Overview of HIPAA
• Terms and Definitions
•  Protected Health Information (PHI)
•  Covered Entity
•  Business Associate
• Core Privacy and Security Requirements
•  Business Associate obligations
31
What is HIPAA?
HIPAA Security Rule establishes standards for protection of PHI
32
HIPAA Privacy Rule defines and limits circumstances in which
protected health information (PHI) can be used and disclosed
Consists of the Privacy Rule and Security Rule.
A law enacted by U.S. Congress in 1996
What is HIPAA (cont’d)?
• In general, HIPAA permits
covered entities to use and
disclose protected health
information for their own
treatment, payment and health
care operations purposes.
• Specific patient authorization is
required for use/disclosure for
other purposes.
33
Three Subsets of the HIPAA Rules
Enforcement Rule
•  Compliance & Enforcement
•  Civil Monetary Penalties
Security Rule
•  Administrative, Physical and Technical Safeguards
•  Breach Notification
Privacy Rule
•  Uses and Disclosures of PHI
•  Requirements for interacting with patients
34
What is HITECH?
• The Health Information Technology
for Economic and Clinical Health
Act (HITECH) was passed in 2009
as part of the American Recovery
and Reinvestment Act (ARRA), the
“stimulus bill.”
• US $20 billion+ in incentives to
encourage doctors and hospitals
to use HIT
• Recently updated provisions apply
to digital data.
35
HIPAA Omnibus Rule – 2013 Updates
•  Important changes:
•  Business Associates
•  PHI Storage
•  HITECH Breaches
•  Penalties & enforcements
36
What is a HIPAA Covered Entity?
•  Covered Entities:
•  Health Care Providers
•  Health Care Clearinghouses
•  Health Plans
•  Business Associates of 1-3 above
…That perform electronic transactions covered by HIPAA.
37
What is Protected Health Information (PHI)?
•  Protected Health Information (PHI):
Medical records or other health
information that:
•  Identifies an individual
•  Could be used to identify an
individual
•  Created or received by a HIPAA
covered entity
38
Protected Heath Information - Identifiers
39
•  Name
•  Social Security Number
•  Driver’s License or other government-
issued identification number
•  Telephone/Fax Number
•  Email Address
•  Geographic Subdivision Smaller Than
States (such as street address, city,
county, and 5-digit ZIP code)
•  Certificate/License Number
•  Financial Account Number (such as
bank accounts and payment card
accounts)
•  Medical Record Number
•  Health Plan Beneficiary Number
•  IP Address
•  URL
•  Dates Directly Related to Individuals
(such as date of birth, date of death,
admission and discharge date, and
any age over 89)
•  Biometric Identifiers (including
fingerprints and voice prints)
•  Device Identifiers
•  Vehicle Identifiers and Serial Numbers
(including license plate numbers)
•  Full-face Photographs (or comparable
images)
•  Other individually identifiable code or
number
De-identified information
• PHI may be de-identified by removing all details that could
reasonably be used to identify an individual.
• De-identification can be accomplished by:
•  Removing all individually identifiable information listed above; or
•  Acquiring certification from a qualified statistician that
information cannot be re-identified.
• Vendors may seem to use de-identified information for own
purposes. The data may be used for comparative
effectiveness studies, policy assessments, and other
endeavors.
40
What is a Business Associate?
•  A person or entity that performs or assists a covered entity with
functions that involve the use or disclosure of protected health
information.
• Examples:
–  Cloud vendors
–  Providers of data transmission services
–  Subcontractors of Business Associates
•  HIPAA requires covered entities to enter into agreements with
Business Associates, called Business Associate Agreements.
•  Covered entities can be held liable for HIPAA violations by
Business Associates in some cases.
•  Where a vendor is acting as a Business Associate, the vendor is
directly liable for compliance with many aspects of the Privacy rule,
and all of the Security Rule.
41
Are you a Business Associate?
• In the course of business, is PHI:
• Created
• Received
• Maintained
• Transmitted
• For or on behalf of a covered entity?
42
Are you
a BA?
What are Business Associates Liable for?
• HITECH breaches
• Failure to provide breach notification to the covered entity
• Failure to provide electronic access to PHI
• When requested by the individual
• When requested by the Covered Entity
• Failure to provide an accounting of disclosures
• …and more
• PLUS, contractual liability for breaches of Business
Associate Agreements
• BAAs contain terms and conditions for access and use
of PHI.
43
Is Patient Data Secure on the Cloud?
• When electronic PHI (ePHI) is stored/
maintained in the cloud:
• Healthcare Providers/Covered Entities
are “disclosing it” to the cloud vendor
• Cloud vendor becomes a business
associate
• Cloud vendor must comply with HIPAA
and HITECH provisions
• Challenges when cloud provider does
not know what data it is maintaining
44
The HIPAA Security Rule
• Establishes safeguards to ensure
the confidentiality, integrity and
security of ePHI
•  Administrative safeguards
•  Physical safeguards
•  Technical safeguards
45
Security Rule Safeguards
• Administrative Safeguards
•  Security management processes
•  Staff training
•  Information access management
•  Contingency plan
• Physical Safeguards
•  Facility access controls
•  Workstation security measures
•  Workstation use policies
• Technical Safeguards
•  Access controls
•  Audit controls
•  Integrity controls
•  Transmission security measures
46
Data Breaches
•  A data breach is any acquisition, access, use, or
disclosure of PHI in a manner not permitted by the
HIPAA Privacy Rule, whether internal or external
•  Does not have to result in confirmed identity theft
before legal obligations are triggered
47
Healthcare Data Breaches
48
What to do?
•  Risk analysis
•  Risk management program
•  Security official
•  Policies & procedures
•  Employee training
•  Subcontractor BAAs
•  Document compliance
•  NOTE: No HITECH mandate that data be encrypted.
•  But penalties for breaches can be avoided if data is
strongly encrypted.
49
HIPAA and Mobile Devices
•  HIPAA applies to any mobile device that receives,
transmits, or stores PHI.
•  OCR and ONC suggest measures to ensure that
PHI is secure on mobile devices:
•  Use a password or other user authentication. You
can also activate a screen lock after the device
has not been used for a period of time.
•  Install or enable encryption.
•  Install or activate remote wiping and/or disabling.
•  Disable or do not use file-shared applications.
•  Install or enable firewalls.
•  Install or enable security software.
•  Keep your security software up to date.
•  Research apps before downloading.
•  Maintain physical control.
•  Use adequate controls when using Wi-Fi.
•  Delete all stored PHI before reusing or discarding
a device.
50
What happens if I don’t comply with HIPAA?
• Civil and Criminal Penalties
• HITECH Breaches:
• US $50,000 per violation
• US $1.5 million for multiple identical
violations
• No defense based on lack of
knowledge
• Mandatory HITECH audit program
51
HITECH Breaches: How Much Will It Cost You?
52
Violation was not known and could
not have been discovered with
reasonable diligence 	
  
$1,500,000 	
  
Potential Penalty
Per Violation 	
  
Degree of
Culpability / “State of
Mind” 	
  
Maximum Annual Cap
for All Violations	
  
$1,500,000 	
  
$1,500,000 	
  
$1,500,000 	
  
$100 – $50,000 	
  
$1,000 – $50,000 	
  
$10,000 – $50,000 	
  
$50,000 	
  
Reasonable cause for violation, not
due to willful neglect 	
  
Violation due to willful neglect, but
corrected in 30 days 	
  
Violation due to willful neglect, not
corrected in 30 days 	
  
HIPAA Violations: Criminal Penalties
53
Violation involving
False Pretenses 	
  
$50,000 fine/
1 year imprisonment	
  Knowing violation 	
  
$100,000 fine/
5 years imprisonment	
  
$250,000 fine/
10 years imprisonment	
  
Violation involving intent
to sell, transfer or use	
  
OCR Enforcement Results by Year
YEAR NO VIOLATION
RESOLVED AFTER INTAKE
AND REVIEW
CORRECTIVE
ACTION
OBTAINED
TOTAL
RESOLUTIONS
Partial Year 2003 5% 78% 17% 1516
2004 7% 71% 22% 4799
2005 11% 68% 21% 5692
2006 14% 62% 24% 6599
2007 10% 69% 21% 7238
2008 13% 63% 24% 9341
2009 15% 59% 26% 8106
2010 17% 54% 29% 9189
2011 16% 53% 31% 8363
2012 10% 54% 36% 9408
2013 7% 69% 24% 14300
54
What We’ve Learned from OCR Resolution Agreements
55
• OCR is monitoring breach notification reports.
• No one is immune from enforcement.
• Heavy emphasis on performance of thorough security risk
analysis and identification of vulnerabilities.
• Having policies and procedures in place is critical…so is
following them.
• Workforce must be trained.
• If devices and equipment aren’t encrypted, you need to
document why.
State Laws
• Some state health information laws are stricter than
HIPAA.
– For example, California’s Confidentiality of Medical
Information Act (CMIA).
• A majority of states (47/50) have enacted data breach
notification laws.
56
What’s Up eDoc?: A Health IT Privacy Primer
Disclaimer
Norton Rose Fulbright US LLP, Norton Rose Fulbright LLP, Norton Rose Fulbright Australia, Norton Rose Fulbright Canada LLP and Norton Rose Fulbright South Africa Inc are separate legal entities
and all of them are members of Norton Rose Fulbright Verein, a Swiss verein. Norton Rose Fulbright Verein helps coordinate the activities of the members but does not itself provide legal services to
clients.
References to ‘Norton Rose Fulbright’, ‘the law firm’ and ‘legal practice’ are to one or more of the Norton Rose Fulbright members or to one of their respective affiliates (together ‘Norton Rose
Fulbright entity/entities’). No individual who is a member, partner, shareholder, director, employee or consultant of, in or to any Norton Rose Fulbright entity (whether or not such individual is
described as a ‘partner’) accepts or assumes responsibility, or has any liability, to any person in respect of this communication. Any reference to a partner or director is to a member, employee or
consultant with equivalent standing and qualifications of the relevant Norton Rose Fulbright entity.
The purpose of this communication is to provide general information of a legal nature. It does not contain a full analysis of the law nor does it constitute an opinion of any Norton Rose Fulbright
entity on the points of law discussed. You must take specific legal advice on any particular matter which concerns you. If you require any advice or further information, please speak to your usual
contact at Norton Rose Fulbright.
58

Mais conteúdo relacionado

Mais procurados

Do You Know How to Handle a HIPAA Breach?
Do You Know How to Handle a HIPAA Breach?Do You Know How to Handle a HIPAA Breach?
Do You Know How to Handle a HIPAA Breach?Compliancy Group
 
Health Insurance Portability and Accountability Act (HIPPA) - Kloudlearn
Health Insurance Portability and Accountability Act (HIPPA) - KloudlearnHealth Insurance Portability and Accountability Act (HIPPA) - Kloudlearn
Health Insurance Portability and Accountability Act (HIPPA) - KloudlearnKloudLearn
 
HIPPA Compliance
HIPPA ComplianceHIPPA Compliance
HIPPA Compliancedixibee
 
Hipaa overview 073118
Hipaa overview 073118Hipaa overview 073118
Hipaa overview 073118robint2125
 
Privacy Information for Nonprofit Organizations in Alberta
Privacy Information for Nonprofit Organizations in AlbertaPrivacy Information for Nonprofit Organizations in Alberta
Privacy Information for Nonprofit Organizations in AlbertaVolunteer Alberta
 
Personal Health Records & HIPAA
Personal Health Records & HIPAAPersonal Health Records & HIPAA
Personal Health Records & HIPAAMargery Lynn
 
Hipaa Refresher Training
Hipaa Refresher TrainingHipaa Refresher Training
Hipaa Refresher TrainingBrian
 
Welcome to HIPAA Training
Welcome to HIPAA TrainingWelcome to HIPAA Training
Welcome to HIPAA TrainingJonathan Montes
 
Intro to information governance booklet
Intro to information governance bookletIntro to information governance booklet
Intro to information governance bookletGerardo Medina
 
Mandatory hippa and information security
Mandatory hippa and information securityMandatory hippa and information security
Mandatory hippa and information securityHiggi123
 
HIPAA Training - 2011
HIPAA Training - 2011HIPAA Training - 2011
HIPAA Training - 2011darichardson
 
HIPAA Compliance for Developers
HIPAA Compliance for DevelopersHIPAA Compliance for Developers
HIPAA Compliance for DevelopersTrueVault
 
Sylvia hipaa powerpoint presentation 2010(2)
Sylvia hipaa powerpoint presentation 2010(2)Sylvia hipaa powerpoint presentation 2010(2)
Sylvia hipaa powerpoint presentation 2010(2)bholmes
 

Mais procurados (20)

Hipaa
HipaaHipaa
Hipaa
 
Do You Know How to Handle a HIPAA Breach?
Do You Know How to Handle a HIPAA Breach?Do You Know How to Handle a HIPAA Breach?
Do You Know How to Handle a HIPAA Breach?
 
The Basics of HIPAA
The Basics of HIPAA The Basics of HIPAA
The Basics of HIPAA
 
Health Insurance Portability and Accountability Act (HIPPA) - Kloudlearn
Health Insurance Portability and Accountability Act (HIPPA) - KloudlearnHealth Insurance Portability and Accountability Act (HIPPA) - Kloudlearn
Health Insurance Portability and Accountability Act (HIPPA) - Kloudlearn
 
HIPAA
HIPAAHIPAA
HIPAA
 
HIPPA Compliance
HIPPA ComplianceHIPPA Compliance
HIPPA Compliance
 
Hipaa overview 073118
Hipaa overview 073118Hipaa overview 073118
Hipaa overview 073118
 
Privacy Information for Nonprofit Organizations in Alberta
Privacy Information for Nonprofit Organizations in AlbertaPrivacy Information for Nonprofit Organizations in Alberta
Privacy Information for Nonprofit Organizations in Alberta
 
HIPAA Audio Presentation
HIPAA  Audio PresentationHIPAA  Audio Presentation
HIPAA Audio Presentation
 
Hipaa slideshow
Hipaa slideshowHipaa slideshow
Hipaa slideshow
 
Hipaa,obra ariz
Hipaa,obra arizHipaa,obra ariz
Hipaa,obra ariz
 
Personal Health Records & HIPAA
Personal Health Records & HIPAAPersonal Health Records & HIPAA
Personal Health Records & HIPAA
 
Hipaa Refresher Training
Hipaa Refresher TrainingHipaa Refresher Training
Hipaa Refresher Training
 
Annual HIPAA Training
Annual HIPAA TrainingAnnual HIPAA Training
Annual HIPAA Training
 
Welcome to HIPAA Training
Welcome to HIPAA TrainingWelcome to HIPAA Training
Welcome to HIPAA Training
 
Intro to information governance booklet
Intro to information governance bookletIntro to information governance booklet
Intro to information governance booklet
 
Mandatory hippa and information security
Mandatory hippa and information securityMandatory hippa and information security
Mandatory hippa and information security
 
HIPAA Training - 2011
HIPAA Training - 2011HIPAA Training - 2011
HIPAA Training - 2011
 
HIPAA Compliance for Developers
HIPAA Compliance for DevelopersHIPAA Compliance for Developers
HIPAA Compliance for Developers
 
Sylvia hipaa powerpoint presentation 2010(2)
Sylvia hipaa powerpoint presentation 2010(2)Sylvia hipaa powerpoint presentation 2010(2)
Sylvia hipaa powerpoint presentation 2010(2)
 

Destaque

Pendo Series B Investor Deck External
Pendo Series B Investor Deck ExternalPendo Series B Investor Deck External
Pendo Series B Investor Deck ExternalTodd Olson
 
Tinder Pitch Deck
Tinder Pitch DeckTinder Pitch Deck
Tinder Pitch DeckRyan Gum
 
Contently Pitch Deck
Contently Pitch DeckContently Pitch Deck
Contently Pitch DeckRyan Gum
 
Intercom's first pitch deck!
Intercom's first pitch deck!Intercom's first pitch deck!
Intercom's first pitch deck!Eoghan McCabe
 
Mattermark 2nd (Final) Series A Deck
Mattermark 2nd (Final) Series A DeckMattermark 2nd (Final) Series A Deck
Mattermark 2nd (Final) Series A DeckDanielle Morrill
 
Airbnb Pitch Deck From 2008
Airbnb Pitch Deck From 2008Airbnb Pitch Deck From 2008
Airbnb Pitch Deck From 2008Ryan Gum
 
Foursquare's 1st Pitch Deck
Foursquare's 1st Pitch DeckFoursquare's 1st Pitch Deck
Foursquare's 1st Pitch DeckRami Al-Karmi
 
The investor presentation we used to raise 2 million dollars
The investor presentation we used to raise 2 million dollarsThe investor presentation we used to raise 2 million dollars
The investor presentation we used to raise 2 million dollarsMikael Cho
 
Linkedin Series B Pitch Deck
Linkedin Series B Pitch DeckLinkedin Series B Pitch Deck
Linkedin Series B Pitch DeckJoseph Hsieh
 
Mixpanel - Our pitch deck that we used to raise $65M
Mixpanel - Our pitch deck that we used to raise $65MMixpanel - Our pitch deck that we used to raise $65M
Mixpanel - Our pitch deck that we used to raise $65MSuhail Doshi
 
SEOmoz Pitch Deck July 2011
SEOmoz Pitch Deck July 2011SEOmoz Pitch Deck July 2011
SEOmoz Pitch Deck July 2011Rand Fishkin
 
The slide deck we used to raise half a million dollars
The slide deck we used to raise half a million dollarsThe slide deck we used to raise half a million dollars
The slide deck we used to raise half a million dollarsBuffer
 

Destaque (16)

Petcube
PetcubePetcube
Petcube
 
BRNewTech Meetup - Material Astella
BRNewTech Meetup - Material AstellaBRNewTech Meetup - Material Astella
BRNewTech Meetup - Material Astella
 
Pendo Series B Investor Deck External
Pendo Series B Investor Deck ExternalPendo Series B Investor Deck External
Pendo Series B Investor Deck External
 
Tinder Pitch Deck
Tinder Pitch DeckTinder Pitch Deck
Tinder Pitch Deck
 
Contently Pitch Deck
Contently Pitch DeckContently Pitch Deck
Contently Pitch Deck
 
BuzzFeed Pitch Deck
BuzzFeed Pitch DeckBuzzFeed Pitch Deck
BuzzFeed Pitch Deck
 
Intercom's first pitch deck!
Intercom's first pitch deck!Intercom's first pitch deck!
Intercom's first pitch deck!
 
Front series A deck
Front series A deckFront series A deck
Front series A deck
 
Mattermark 2nd (Final) Series A Deck
Mattermark 2nd (Final) Series A DeckMattermark 2nd (Final) Series A Deck
Mattermark 2nd (Final) Series A Deck
 
Airbnb Pitch Deck From 2008
Airbnb Pitch Deck From 2008Airbnb Pitch Deck From 2008
Airbnb Pitch Deck From 2008
 
Foursquare's 1st Pitch Deck
Foursquare's 1st Pitch DeckFoursquare's 1st Pitch Deck
Foursquare's 1st Pitch Deck
 
The investor presentation we used to raise 2 million dollars
The investor presentation we used to raise 2 million dollarsThe investor presentation we used to raise 2 million dollars
The investor presentation we used to raise 2 million dollars
 
Linkedin Series B Pitch Deck
Linkedin Series B Pitch DeckLinkedin Series B Pitch Deck
Linkedin Series B Pitch Deck
 
Mixpanel - Our pitch deck that we used to raise $65M
Mixpanel - Our pitch deck that we used to raise $65MMixpanel - Our pitch deck that we used to raise $65M
Mixpanel - Our pitch deck that we used to raise $65M
 
SEOmoz Pitch Deck July 2011
SEOmoz Pitch Deck July 2011SEOmoz Pitch Deck July 2011
SEOmoz Pitch Deck July 2011
 
The slide deck we used to raise half a million dollars
The slide deck we used to raise half a million dollarsThe slide deck we used to raise half a million dollars
The slide deck we used to raise half a million dollars
 

Semelhante a What’s Up eDoc?: A Health IT Privacy Primer

Health Insurance and Portability and Accountability Act
Health Insurance and Portability and Accountability ActHealth Insurance and Portability and Accountability Act
Health Insurance and Portability and Accountability Actসারন দাস
 
Privacy & security training.pptx
Privacy & security training.pptxPrivacy & security training.pptx
Privacy & security training.pptxQmcleod
 
Privacy & security training.pptx
Privacy & security training.pptxPrivacy & security training.pptx
Privacy & security training.pptxQmcleod
 
Imac 2011
Imac 2011Imac 2011
Imac 2011sebmojo
 
Health information confidentiality
Health information confidentialityHealth information confidentiality
Health information confidentialityJames Noon
 
HIPAA and HITECH : What you need to know
HIPAA and HITECH : What you need to knowHIPAA and HITECH : What you need to know
HIPAA and HITECH : What you need to knowShred-it
 
Mha 690 week one discussion ii
Mha 690 week one discussion iiMha 690 week one discussion ii
Mha 690 week one discussion iibeleza1669
 
Mha 690 week one discussion ii
Mha 690 week one discussion iiMha 690 week one discussion ii
Mha 690 week one discussion iibeleza1669
 
GOVERNMENT OF AB ACTS ON PRIVACY COMPLIANCE FOR (PIPA) & (FOIP) INSTITUTION -...
GOVERNMENT OF AB ACTS ON PRIVACY COMPLIANCE FOR (PIPA) & (FOIP) INSTITUTION -...GOVERNMENT OF AB ACTS ON PRIVACY COMPLIANCE FOR (PIPA) & (FOIP) INSTITUTION -...
GOVERNMENT OF AB ACTS ON PRIVACY COMPLIANCE FOR (PIPA) & (FOIP) INSTITUTION -...Hanaysha
 
HIPAA INSERVICE 2017
HIPAA INSERVICE 2017 HIPAA INSERVICE 2017
HIPAA INSERVICE 2017 Meg Oser
 
HIPAA Privacy Training by University of Hawaii
HIPAA Privacy Training by University of HawaiiHIPAA Privacy Training by University of Hawaii
HIPAA Privacy Training by University of HawaiiAtlantic Training, LLC.
 
Health Insurance Portability & Accountability Act (HIPAA)
Health Insurance Portability & Accountability Act (HIPAA)Health Insurance Portability & Accountability Act (HIPAA)
Health Insurance Portability & Accountability Act (HIPAA)Arpitha Aarushi
 
Meeting the HIPAA Privacy Requirements
Meeting the HIPAA Privacy RequirementsMeeting the HIPAA Privacy Requirements
Meeting the HIPAA Privacy Requirementsbenefitexpress
 
HIPAA Rights Privacy and Enforcements RD.pptx
HIPAA Rights  Privacy and Enforcements RD.pptxHIPAA Rights  Privacy and Enforcements RD.pptx
HIPAA Rights Privacy and Enforcements RD.pptxRAJIV RANJAN DAS
 
Health Information Privacy: Asia's Viewpoint
Health Information Privacy: Asia's ViewpointHealth Information Privacy: Asia's Viewpoint
Health Information Privacy: Asia's ViewpointNawanan Theera-Ampornpunt
 

Semelhante a What’s Up eDoc?: A Health IT Privacy Primer (20)

Health Insurance and Portability and Accountability Act
Health Insurance and Portability and Accountability ActHealth Insurance and Portability and Accountability Act
Health Insurance and Portability and Accountability Act
 
Hipaa inservice
Hipaa inserviceHipaa inservice
Hipaa inservice
 
Privacy & security training.pptx
Privacy & security training.pptxPrivacy & security training.pptx
Privacy & security training.pptx
 
Privacy & security training.pptx
Privacy & security training.pptxPrivacy & security training.pptx
Privacy & security training.pptx
 
Imac 2011
Imac 2011Imac 2011
Imac 2011
 
Data Management Protection Acts
Data Management Protection ActsData Management Protection Acts
Data Management Protection Acts
 
Health information confidentiality
Health information confidentialityHealth information confidentiality
Health information confidentiality
 
HIPAA and HITECH : What you need to know
HIPAA and HITECH : What you need to knowHIPAA and HITECH : What you need to know
HIPAA and HITECH : What you need to know
 
HIPAA Privacy & Security
HIPAA Privacy & SecurityHIPAA Privacy & Security
HIPAA Privacy & Security
 
Mha 690 week one discussion ii
Mha 690 week one discussion iiMha 690 week one discussion ii
Mha 690 week one discussion ii
 
Mha 690 week one discussion ii
Mha 690 week one discussion iiMha 690 week one discussion ii
Mha 690 week one discussion ii
 
GOVERNMENT OF AB ACTS ON PRIVACY COMPLIANCE FOR (PIPA) & (FOIP) INSTITUTION -...
GOVERNMENT OF AB ACTS ON PRIVACY COMPLIANCE FOR (PIPA) & (FOIP) INSTITUTION -...GOVERNMENT OF AB ACTS ON PRIVACY COMPLIANCE FOR (PIPA) & (FOIP) INSTITUTION -...
GOVERNMENT OF AB ACTS ON PRIVACY COMPLIANCE FOR (PIPA) & (FOIP) INSTITUTION -...
 
HIPAA INSERVICE 2017
HIPAA INSERVICE 2017 HIPAA INSERVICE 2017
HIPAA INSERVICE 2017
 
HIPAA Privacy Training by University of Hawaii
HIPAA Privacy Training by University of HawaiiHIPAA Privacy Training by University of Hawaii
HIPAA Privacy Training by University of Hawaii
 
Health Insurance Portability & Accountability Act (HIPAA)
Health Insurance Portability & Accountability Act (HIPAA)Health Insurance Portability & Accountability Act (HIPAA)
Health Insurance Portability & Accountability Act (HIPAA)
 
Meeting the HIPAA Privacy Requirements
Meeting the HIPAA Privacy RequirementsMeeting the HIPAA Privacy Requirements
Meeting the HIPAA Privacy Requirements
 
HIPAA Rights Privacy and Enforcements RD.pptx
HIPAA Rights  Privacy and Enforcements RD.pptxHIPAA Rights  Privacy and Enforcements RD.pptx
HIPAA Rights Privacy and Enforcements RD.pptx
 
Hippa training v2
Hippa training v2Hippa training v2
Hippa training v2
 
Hipaa training
Hipaa trainingHipaa training
Hipaa training
 
Health Information Privacy: Asia's Viewpoint
Health Information Privacy: Asia's ViewpointHealth Information Privacy: Asia's Viewpoint
Health Information Privacy: Asia's Viewpoint
 

Mais de MaRS Discovery District

How to Pitch a VC - Entrepreneurship 101
How to Pitch a VC - Entrepreneurship 101How to Pitch a VC - Entrepreneurship 101
How to Pitch a VC - Entrepreneurship 101MaRS Discovery District
 
25 lessons learned - Entrepreneurship 101
25 lessons learned - Entrepreneurship 10125 lessons learned - Entrepreneurship 101
25 lessons learned - Entrepreneurship 101MaRS Discovery District
 
So you want to start a business? - Entrepreneurship 101
So you want to start a business? - Entrepreneurship 101So you want to start a business? - Entrepreneurship 101
So you want to start a business? - Entrepreneurship 101MaRS Discovery District
 
Lessons in Startup Leadership - Entrepreneurship 101
Lessons in Startup Leadership - Entrepreneurship 101Lessons in Startup Leadership - Entrepreneurship 101
Lessons in Startup Leadership - Entrepreneurship 101MaRS Discovery District
 
Startup finances: Forecasting, Modelling & Metrics
Startup finances:  Forecasting, Modelling & MetricsStartup finances:  Forecasting, Modelling & Metrics
Startup finances: Forecasting, Modelling & MetricsMaRS Discovery District
 
10+ Steps to Scaling Your Cheer Squad - Entrepreneurship 101
10+ Steps to Scaling Your Cheer Squad - Entrepreneurship 10110+ Steps to Scaling Your Cheer Squad - Entrepreneurship 101
10+ Steps to Scaling Your Cheer Squad - Entrepreneurship 101MaRS Discovery District
 
Scaling Your Startup - Entrepreneurship 101
Scaling Your Startup - Entrepreneurship 101Scaling Your Startup - Entrepreneurship 101
Scaling Your Startup - Entrepreneurship 101MaRS Discovery District
 
Scaling Outside Canada - Entrepreneurship 101
Scaling Outside Canada - Entrepreneurship 101Scaling Outside Canada - Entrepreneurship 101
Scaling Outside Canada - Entrepreneurship 101MaRS Discovery District
 
Partnership Negotiations - Entrepreneurship 101
Partnership Negotiations - Entrepreneurship 101Partnership Negotiations - Entrepreneurship 101
Partnership Negotiations - Entrepreneurship 101MaRS Discovery District
 
Art of the deal 101: Notes from the Trenches - Entrepreneurship 101
Art of the deal 101: Notes from the Trenches - Entrepreneurship 101Art of the deal 101: Notes from the Trenches - Entrepreneurship 101
Art of the deal 101: Notes from the Trenches - Entrepreneurship 101MaRS Discovery District
 
The Art & Science of Sales: Tips, Tricks & Tools - Entrepreneurship 101
The Art & Science of Sales: Tips, Tricks & Tools - Entrepreneurship 101The Art & Science of Sales: Tips, Tricks & Tools - Entrepreneurship 101
The Art & Science of Sales: Tips, Tricks & Tools - Entrepreneurship 101MaRS Discovery District
 
Sales Putting the Fun in Funnel - Entrepreneurship 101
Sales Putting the Fun in Funnel - Entrepreneurship 101Sales Putting the Fun in Funnel - Entrepreneurship 101
Sales Putting the Fun in Funnel - Entrepreneurship 101MaRS Discovery District
 

Mais de MaRS Discovery District (20)

How to Pitch a VC - Entrepreneurship 101
How to Pitch a VC - Entrepreneurship 101How to Pitch a VC - Entrepreneurship 101
How to Pitch a VC - Entrepreneurship 101
 
The Pitch - Entrepreneurship 101
The Pitch - Entrepreneurship 101The Pitch - Entrepreneurship 101
The Pitch - Entrepreneurship 101
 
25 lessons learned - Entrepreneurship 101
25 lessons learned - Entrepreneurship 10125 lessons learned - Entrepreneurship 101
25 lessons learned - Entrepreneurship 101
 
So you want to start a business? - Entrepreneurship 101
So you want to start a business? - Entrepreneurship 101So you want to start a business? - Entrepreneurship 101
So you want to start a business? - Entrepreneurship 101
 
Lessons in Startup Leadership - Entrepreneurship 101
Lessons in Startup Leadership - Entrepreneurship 101Lessons in Startup Leadership - Entrepreneurship 101
Lessons in Startup Leadership - Entrepreneurship 101
 
Why Should I Work for You? (The EVP)
Why Should I Work for You? (The EVP)Why Should I Work for You? (The EVP)
Why Should I Work for You? (The EVP)
 
A New Hiring Paradigm
A New Hiring ParadigmA New Hiring Paradigm
A New Hiring Paradigm
 
How to Find and Hire Top Talent
How to Find and Hire Top TalentHow to Find and Hire Top Talent
How to Find and Hire Top Talent
 
Startup finances: Forecasting, Modelling & Metrics
Startup finances:  Forecasting, Modelling & MetricsStartup finances:  Forecasting, Modelling & Metrics
Startup finances: Forecasting, Modelling & Metrics
 
Financial Modelling
Financial Modelling Financial Modelling
Financial Modelling
 
Forecasting Revenue
Forecasting RevenueForecasting Revenue
Forecasting Revenue
 
10+ Steps to Scaling Your Cheer Squad - Entrepreneurship 101
10+ Steps to Scaling Your Cheer Squad - Entrepreneurship 10110+ Steps to Scaling Your Cheer Squad - Entrepreneurship 101
10+ Steps to Scaling Your Cheer Squad - Entrepreneurship 101
 
Scaling Your Startup - Entrepreneurship 101
Scaling Your Startup - Entrepreneurship 101Scaling Your Startup - Entrepreneurship 101
Scaling Your Startup - Entrepreneurship 101
 
Scaling Outside Canada - Entrepreneurship 101
Scaling Outside Canada - Entrepreneurship 101Scaling Outside Canada - Entrepreneurship 101
Scaling Outside Canada - Entrepreneurship 101
 
Partnership Negotiations - Entrepreneurship 101
Partnership Negotiations - Entrepreneurship 101Partnership Negotiations - Entrepreneurship 101
Partnership Negotiations - Entrepreneurship 101
 
Licensing - Entrepreneurship 101
Licensing - Entrepreneurship 101Licensing - Entrepreneurship 101
Licensing - Entrepreneurship 101
 
Art of the deal 101: Notes from the Trenches - Entrepreneurship 101
Art of the deal 101: Notes from the Trenches - Entrepreneurship 101Art of the deal 101: Notes from the Trenches - Entrepreneurship 101
Art of the deal 101: Notes from the Trenches - Entrepreneurship 101
 
Social Selling - Entrepreneurship 101
Social Selling - Entrepreneurship 101Social Selling - Entrepreneurship 101
Social Selling - Entrepreneurship 101
 
The Art & Science of Sales: Tips, Tricks & Tools - Entrepreneurship 101
The Art & Science of Sales: Tips, Tricks & Tools - Entrepreneurship 101The Art & Science of Sales: Tips, Tricks & Tools - Entrepreneurship 101
The Art & Science of Sales: Tips, Tricks & Tools - Entrepreneurship 101
 
Sales Putting the Fun in Funnel - Entrepreneurship 101
Sales Putting the Fun in Funnel - Entrepreneurship 101Sales Putting the Fun in Funnel - Entrepreneurship 101
Sales Putting the Fun in Funnel - Entrepreneurship 101
 

Último

Harvard Business Review.pptx | Navigating Labor Unrest (March-April 2024)
Harvard Business Review.pptx | Navigating Labor Unrest (March-April 2024)Harvard Business Review.pptx | Navigating Labor Unrest (March-April 2024)
Harvard Business Review.pptx | Navigating Labor Unrest (March-April 2024)tazeenaila12
 
Q2 2024 APCO Geopolitical Radar - The Global Operating Environment for Business
Q2 2024 APCO Geopolitical Radar - The Global Operating Environment for BusinessQ2 2024 APCO Geopolitical Radar - The Global Operating Environment for Business
Q2 2024 APCO Geopolitical Radar - The Global Operating Environment for BusinessAPCO
 
Intellectual Property Licensing Examples
Intellectual Property Licensing ExamplesIntellectual Property Licensing Examples
Intellectual Property Licensing Examplesamberjiles31
 
UNLEASHING THE POWER OF PROGRAMMATIC ADVERTISING
UNLEASHING THE POWER OF PROGRAMMATIC ADVERTISINGUNLEASHING THE POWER OF PROGRAMMATIC ADVERTISING
UNLEASHING THE POWER OF PROGRAMMATIC ADVERTISINGlokeshwarmaha
 
Upgrade Your Banking Experience with Advanced Core Banking Applications
Upgrade Your Banking Experience with Advanced Core Banking ApplicationsUpgrade Your Banking Experience with Advanced Core Banking Applications
Upgrade Your Banking Experience with Advanced Core Banking ApplicationsIntellect Design Arena Ltd
 
Graham and Doddsville - Issue 1 - Winter 2006 (1).pdf
Graham and Doddsville - Issue 1 - Winter 2006 (1).pdfGraham and Doddsville - Issue 1 - Winter 2006 (1).pdf
Graham and Doddsville - Issue 1 - Winter 2006 (1).pdfAnhNguyen97152
 
ISONIKE Ltd Accreditation for the Conformity Assessment and Certification of ...
ISONIKE Ltd Accreditation for the Conformity Assessment and Certification of ...ISONIKE Ltd Accreditation for the Conformity Assessment and Certification of ...
ISONIKE Ltd Accreditation for the Conformity Assessment and Certification of ...ISONIKELtd
 
Introduction to The overview of GAAP LO 1-5.pptx
Introduction to The overview of GAAP LO 1-5.pptxIntroduction to The overview of GAAP LO 1-5.pptx
Introduction to The overview of GAAP LO 1-5.pptxJemalSeid25
 
HELENE HECKROTTE'S PROFESSIONAL PORTFOLIO.pptx
HELENE HECKROTTE'S PROFESSIONAL PORTFOLIO.pptxHELENE HECKROTTE'S PROFESSIONAL PORTFOLIO.pptx
HELENE HECKROTTE'S PROFESSIONAL PORTFOLIO.pptxHelene Heckrotte
 
MC Heights construction company in Jhang
MC Heights construction company in JhangMC Heights construction company in Jhang
MC Heights construction company in Jhangmcgroupjeya
 
The Vietnam Believer Newsletter_MARCH 25, 2024_EN_Vol. 003
The Vietnam Believer Newsletter_MARCH 25, 2024_EN_Vol. 003The Vietnam Believer Newsletter_MARCH 25, 2024_EN_Vol. 003
The Vietnam Believer Newsletter_MARCH 25, 2024_EN_Vol. 003believeminhh
 
Anyhr.io | Presentation HR&Recruiting agency
Anyhr.io | Presentation HR&Recruiting agencyAnyhr.io | Presentation HR&Recruiting agency
Anyhr.io | Presentation HR&Recruiting agencyHanna Klim
 
The End of Business as Usual: Rewire the Way You Work to Succeed in the Consu...
The End of Business as Usual: Rewire the Way You Work to Succeed in the Consu...The End of Business as Usual: Rewire the Way You Work to Succeed in the Consu...
The End of Business as Usual: Rewire the Way You Work to Succeed in the Consu...Brian Solis
 
Building Your Personal Brand on LinkedIn - Expert Planet- 2024
 Building Your Personal Brand on LinkedIn - Expert Planet-  2024 Building Your Personal Brand on LinkedIn - Expert Planet-  2024
Building Your Personal Brand on LinkedIn - Expert Planet- 2024Stephan Koning
 
Team B Mind Map for Organizational Chg..
Team B Mind Map for Organizational Chg..Team B Mind Map for Organizational Chg..
Team B Mind Map for Organizational Chg..dlewis191
 
Michael Vidyakin: Introduction to PMO (UA)
Michael Vidyakin: Introduction to PMO (UA)Michael Vidyakin: Introduction to PMO (UA)
Michael Vidyakin: Introduction to PMO (UA)Lviv Startup Club
 
PDT 89 - $1.4M - Seed - Plantee Innovations.pdf
PDT 89 - $1.4M - Seed - Plantee Innovations.pdfPDT 89 - $1.4M - Seed - Plantee Innovations.pdf
PDT 89 - $1.4M - Seed - Plantee Innovations.pdfHajeJanKamps
 
7movierulz.uk
7movierulz.uk7movierulz.uk
7movierulz.ukaroemirsr
 
Trauma Training Service for First Responders
Trauma Training Service for First RespondersTrauma Training Service for First Responders
Trauma Training Service for First RespondersBPOQe
 

Último (20)

Harvard Business Review.pptx | Navigating Labor Unrest (March-April 2024)
Harvard Business Review.pptx | Navigating Labor Unrest (March-April 2024)Harvard Business Review.pptx | Navigating Labor Unrest (March-April 2024)
Harvard Business Review.pptx | Navigating Labor Unrest (March-April 2024)
 
Q2 2024 APCO Geopolitical Radar - The Global Operating Environment for Business
Q2 2024 APCO Geopolitical Radar - The Global Operating Environment for BusinessQ2 2024 APCO Geopolitical Radar - The Global Operating Environment for Business
Q2 2024 APCO Geopolitical Radar - The Global Operating Environment for Business
 
Intellectual Property Licensing Examples
Intellectual Property Licensing ExamplesIntellectual Property Licensing Examples
Intellectual Property Licensing Examples
 
UNLEASHING THE POWER OF PROGRAMMATIC ADVERTISING
UNLEASHING THE POWER OF PROGRAMMATIC ADVERTISINGUNLEASHING THE POWER OF PROGRAMMATIC ADVERTISING
UNLEASHING THE POWER OF PROGRAMMATIC ADVERTISING
 
Upgrade Your Banking Experience with Advanced Core Banking Applications
Upgrade Your Banking Experience with Advanced Core Banking ApplicationsUpgrade Your Banking Experience with Advanced Core Banking Applications
Upgrade Your Banking Experience with Advanced Core Banking Applications
 
Graham and Doddsville - Issue 1 - Winter 2006 (1).pdf
Graham and Doddsville - Issue 1 - Winter 2006 (1).pdfGraham and Doddsville - Issue 1 - Winter 2006 (1).pdf
Graham and Doddsville - Issue 1 - Winter 2006 (1).pdf
 
ISONIKE Ltd Accreditation for the Conformity Assessment and Certification of ...
ISONIKE Ltd Accreditation for the Conformity Assessment and Certification of ...ISONIKE Ltd Accreditation for the Conformity Assessment and Certification of ...
ISONIKE Ltd Accreditation for the Conformity Assessment and Certification of ...
 
Investment Opportunity for Thailand's Automotive & EV Industries
Investment Opportunity for Thailand's Automotive & EV IndustriesInvestment Opportunity for Thailand's Automotive & EV Industries
Investment Opportunity for Thailand's Automotive & EV Industries
 
Introduction to The overview of GAAP LO 1-5.pptx
Introduction to The overview of GAAP LO 1-5.pptxIntroduction to The overview of GAAP LO 1-5.pptx
Introduction to The overview of GAAP LO 1-5.pptx
 
HELENE HECKROTTE'S PROFESSIONAL PORTFOLIO.pptx
HELENE HECKROTTE'S PROFESSIONAL PORTFOLIO.pptxHELENE HECKROTTE'S PROFESSIONAL PORTFOLIO.pptx
HELENE HECKROTTE'S PROFESSIONAL PORTFOLIO.pptx
 
MC Heights construction company in Jhang
MC Heights construction company in JhangMC Heights construction company in Jhang
MC Heights construction company in Jhang
 
The Vietnam Believer Newsletter_MARCH 25, 2024_EN_Vol. 003
The Vietnam Believer Newsletter_MARCH 25, 2024_EN_Vol. 003The Vietnam Believer Newsletter_MARCH 25, 2024_EN_Vol. 003
The Vietnam Believer Newsletter_MARCH 25, 2024_EN_Vol. 003
 
Anyhr.io | Presentation HR&Recruiting agency
Anyhr.io | Presentation HR&Recruiting agencyAnyhr.io | Presentation HR&Recruiting agency
Anyhr.io | Presentation HR&Recruiting agency
 
The End of Business as Usual: Rewire the Way You Work to Succeed in the Consu...
The End of Business as Usual: Rewire the Way You Work to Succeed in the Consu...The End of Business as Usual: Rewire the Way You Work to Succeed in the Consu...
The End of Business as Usual: Rewire the Way You Work to Succeed in the Consu...
 
Building Your Personal Brand on LinkedIn - Expert Planet- 2024
 Building Your Personal Brand on LinkedIn - Expert Planet-  2024 Building Your Personal Brand on LinkedIn - Expert Planet-  2024
Building Your Personal Brand on LinkedIn - Expert Planet- 2024
 
Team B Mind Map for Organizational Chg..
Team B Mind Map for Organizational Chg..Team B Mind Map for Organizational Chg..
Team B Mind Map for Organizational Chg..
 
Michael Vidyakin: Introduction to PMO (UA)
Michael Vidyakin: Introduction to PMO (UA)Michael Vidyakin: Introduction to PMO (UA)
Michael Vidyakin: Introduction to PMO (UA)
 
PDT 89 - $1.4M - Seed - Plantee Innovations.pdf
PDT 89 - $1.4M - Seed - Plantee Innovations.pdfPDT 89 - $1.4M - Seed - Plantee Innovations.pdf
PDT 89 - $1.4M - Seed - Plantee Innovations.pdf
 
7movierulz.uk
7movierulz.uk7movierulz.uk
7movierulz.uk
 
Trauma Training Service for First Responders
Trauma Training Service for First RespondersTrauma Training Service for First Responders
Trauma Training Service for First Responders
 

What’s Up eDoc?: A Health IT Privacy Primer

  • 1. 1
  • 2. What’s up eDoc?: A Health IT Privacy Primer at MaRS Stephen Whitney Of Counsel Norton Rose Fulbright Canada LLP September 30, 2015
  • 4. What is PIPEDA? 4 The Personal Information Protection and Electronic Documents Act (PIPEDA) is federal legislation in Canada which came into force in 2004. PIPEDA protects the collection, use or disclosure of personal information in: •  Private sector organizations which collect the information in the course of commercial activities; and •  Federal works, undertakings and businesses in respect of employee personal information.
  • 5. What does PIPEDA govern? 5 PIPEDA applies across the country but for private companies that primarily operate in a single province, PIPEDA will not apply where the province has already enacted similar provisions to PIPEDA and the business fits within the scope of the provincial legislation. These provinces are: •  British Columbia (Personal Information Act); •  Alberta (Personal Information Protection Act); •  Quebec (An Act Respecting the Protection of Personal Information in the Private Sector); •  Ontario (Personal Health Information Protection Act); •  New Brunswick (Personal Health Information Privacy and Access Act); and •  Newfoundland and Labrador (Personal Health Information Act).
  • 6. Duties under PIPEDA 6 PIPEDA contains a series of principles which govern the collection and use of personal data: 1.  Accountability 2.  Identifying Purposes 3.  Consent 4.  Limiting Collection 5.  Limiting Use, Disclosure and Retention 6.  Accuracy 7.  Safeguards 8.  Openness 9.  Individual Access 10.  Challenging Compliance
  • 7. Good practices under PIPEDA 7 1.  Accountability: Designate an individual within the organization who is responsible for managing and responding to privacy issues related to the organization’s operations. 2.  Identifying Purposes: Develop a plan which identifies what personal information you need and explicitly link that information with the purpose for which it will be used. 3.  Consent: Obtain consent from individuals before their information is collected – explain how the information will be used and disclosed. 4.  Limiting Collection: Limit collection of data to only that which is necessary for the identified purposes.
  • 8. Good practices under PIPEDA 8 5.  Limiting Use, Disclosure, and Retention: Only use or disclose information for identified purposes, and do not retain information for any longer than is necessary to satisfy those purposes. Dispose of personal information in a way that prevents privacy breach. 6.  Accuracy: Ensure information is accurate, complete and up to date as is necessary in the interests of the purpose for which the information was collected and the interests of the individual. 7.  Safeguards: Ensure an adequate security policy is in place to protect information, and that appropriate safeguards are in place. 8.  Openness: Staff should be trained to respond to individual inquiries. 9.  Individual Access: Provide individuals with access to their information where appropriate. 10.  Challenging Compliance: Provide recourse against complaints about the organization’s compliance with the above principles.
  • 9. Privacy Toolkit A Guide for Businesses and Organizations Canada's Personal Information Protection and Electronic Documents Act https://www.priv.gc.ca/information/pub/guide_org_e.pdf 9 Recommended Reading
  • 10. PIPEDA and Digital Health 10 PIPEDA does not impose special obligations on digital health companies. Under s. 30(1.1), the Act states that the duties imposed on the use of personal information in the private sector: …does not apply to any organization in respect of personal health information that it collects, uses or discloses within a province … unless the organization … discloses the information outside the province … . KEY QUESTION – What is “personal health information”?
  • 12. What is PHIPA? 12 The Personal Health Information Protection Act (PHIPA) is Ontario legislation which came into force in 2004. Its purpose, as per s. 1 of the Act, is to: •  establish rules for the collection, use and disclosure of personal health information; •  provide individuals with a right of access to personal health information about themselves; •  provide individuals with a right to require the correction or amendment of personal health information about themselves; •  provide for independent review and resolution of complaints with respect to personal health information; and •  to provide effective remedies for contraventions of this Act.
  • 13. What does PHIPA govern? 13 PHIPA applies to the collection, use and disclosure of personal health information by health information custodians (whether or not in the course of commercial activities).
  • 14. PHIPA – Key Definitions 14 “Personal health information” is “identifying” information collected about an individual, whether oral or recorded if the information: • relates to the physical or mental health of the individual, including information that consists of the individual’s family health history, • relates to the providing of health care to the individual, including the identification of a person as a provider of health care to the individual • is a plan of service within the meaning of the Long-Term Care Act, 1994 of the individual, • relates to payments or eligibility for health care in respect of the individual, • relates to the donation by the individual of any body part or bodily substance, or is derived from testing of such body part or substance, • is the individual’s health number, or • identifies the individual’s substitute decision-maker: s. 4(1).
  • 15. PHIPA – Key Definitions cont. 15 Information is “identifying” when it identifies an individual or when it is reasonably foreseeable in the circumstances that it could be utilized, either alone or with other information, to identify the individual. It is not necessary for the individual to be actually named for the information to be considered personal health information. Generally, “personal health information” does not include identifying information held by health information custodians as employers, i.e. personal health information relating to an employee maintained primarily for a purpose other than the provision of health care to the employee.
  • 16. “Health Information Custodians” are persons or organizations who have custody or control of personal health information such as primary health care providers and related services, including: -  health care practitioners -  community care service providers -  Hospitals -  long-term care homes -  Pharmacies -  retirement homes -  medical officers, etc. 16 PHIPA – Key Definitions cont.
  • 17. Are you an “agent” of a custodian? You are considered to be an agent if, with respect to personal health information: • you are authorized to act on behalf of a custodian; and • you perform activities for the purposes of a custodian rather than your own purposes; • whether or not you have the authority to bind the custodian; • whether or not you are employed by the custodian; and • whether or not you are receiving remuneration. 17 PHIPA – Key Definitions cont.
  • 18. PHIPA – Key Definitions cont. 18 Service Providers and Health Information Network Provider If you are not an agent of the custodian, but provide goods or services that enable the custodian to use electronic means to collect, use, modify, disclose, retain or dispose of personal health information, you are a service provider and must comply with certain restrictions on the use and disclosure of that information that are set out in the regulations that accompany PHIPA IF you perform services for multiple Health Information Custodians, the service provider is called a Health Information Network Provider
  • 19. Recipient PHIPA applies to the use and disclosure of personal health information by persons who receive the information from a Health Information Custodian. For example, an insurance company that receives personal health information from a hospital is a Recipient. If I submit the same information to the insurance company, it is not considered personal health information because I am not a health information custodian. 19 PHIPA – Key Definitions cont.
  • 20. Applicability of Statutes 20 PHIPA applies to everyone regarding the collection, use or disclosure of OHIP numbers. PIPEDA will apply to collections, uses and disclosures of personal information by health information custodians outside Ontario in the course of commercial activities. For example, PIPEDA will apply to the disclosure of personal information by health information custodians in Ontario to persons in other provinces when done in the course of commercial activities
  • 21. Duties under PHIPA 21 PHIPA includes a wide variety of duties, which are very similar to the obligations under PIPEDA. Examples of duties under PHIPA include: •  Minimum - collect only the information you need to do the job •  Knowledgeable consent – except in specific circumstances where the law authorizes healthcare providers to collect, use or share a person’s information without consent (such as reporting for public health safety), consent must be obtained before information is collected, used or disclosed, consent can be express or implied; •  Accuracy – a duty to take reasonable steps to ensure information collected is accurate, complete and up-to-date as necessary in relation to the purpose for which it was collected;
  • 22. Duties under PHIPA •  Security – a duty to take reasonable steps to ensure that personal health information is protected against theft, loss and unauthorized use or disclosure; and •  Accountability – a duty to ensure there is an ultimately responsible person at the company who ensures compliance with the Act. •  Policy - provide a written description of the practices you use to protect information, and the name of the person to contact if someone has a question or concern about their personal health record. 22 Duties under PHIPA cont.
  • 23. Duties under PHIPA Regarding Policy and Related Practices: •  Health Information Custodians must take steps that are reasonable in the circumstances to ensure that Personal Health Information in the custodian’s custody or control is protected against theft, loss and unauthorized use or disclosure. •  Health Information Custodians must take similar steps to ensure that the records containing the information are protected against unauthorized copying, modification or disposal. •  An Agent is required to notify the Health Information Custodian at the first reasonable opportunity if Personal Health Information handled by the Agent on behalf of the custodian is stolen, lost or accessed by unauthorized persons 23 Duties under PHIPA cont.
  • 24. Duties under PHIPA A developer from Ontario developed an app that collects an Ontario user’s heart rate in combination with the band from the user’s watch and the information is stored on a server in Ontario. The user purchased the app from an app store. The heart rate is “personal health information” as defined by PHIPA. QUESTIONS 1. Is the app developer a “health information custodian”? 2. Is the app developer an “agent” of a health information custodian? 3. Is the app developer a “service provider” or “health information network provider” to a health information custodian? 4. What if the app developer is a person who supplies services for the purpose of enabling an Ontario doctor or hospital to collect and use personal health information? What if the doctor or hospital is from Alberta? New York? 5. What if the app was purchased and used by an end user in New York? 24 Hypothetical Questions
  • 25. ANSWERS: 1.  The developer does not fall within the definition of health information custodian. 2.  The developer is not an agent because the developer is not authorized by a health information custodian but by the user who purchased the app. 3.  The developer is providing a service to the user of the app and not a health information custodian so the developer is not a service provider or health information network provider. 4.  Seems like the developer is a service provider to the Ontario doctor/hospital, but would want more information to confirm. If it was a doctor/hospital in Alberta, PIPEDA might apply as it is interprovincial. If it was a doctor/hospital in California, PIPEDA might apply to the developer as it is international, but US laws may apply as well. 5.  PIPEDA might apply as the commercial activity of buying the app would be an international transaction. 25 Hypothetical Answers
  • 26. Contact: Stephen Whitney Of Counsel Norton Rose Fulbright Canada LLP / S.E.N.C.R.L., s.r.l. 51 Breithaupt Street, Suite 100 Kitchener, Ontario N2H 5G5 Canada Royal Bank Plaza, South Tower, Suite 3800 200 Bay Street, P.O. Box 84, Toronto, ON M5J 2Z4 Canada T: +1 226.868.9125 stephen.whitney@nortonrosefulbright.com 26
  • 28. Disclaimer Norton Rose Fulbright LLP, Norton Rose Fulbright Australia, Norton Rose Fulbright Canada LLP, Norton Rose Fulbright South Africa (incorporated as Deneys Reitz Inc) and Fulbright & Jaworski LLP, each of which is a separate legal entity, are members (‘the Norton Rose Fulbright members’) of Norton Rose Fulbright Verein, a Swiss Verein. Norton Rose Fulbright Verein helps coordinate the activities of the Norton Rose Fulbright members but does not itself provide legal services to clients. References to ‘Norton Rose Fulbright’, ‘the law firm’, and ‘legal practice’ are to one or more of the Norton Rose Fulbright members or to one of their respective affiliates (together ‘Norton Rose Fulbright entity/entities’). No individual who is a member, partner, shareholder, director, employee or consultant of, in or to any Norton Rose Fulbright entity (whether or not such individual is described as a ‘partner’) accepts or assumes responsibility, or has any liability, to any person in respect of this communication. Any reference to a partner or director is to a member, employee or consultant with equivalent standing and qualifications of the relevant Norton Rose Fulbright entity. The purpose of this communication is to provide information as to developments in the law. It does not contain a full analysis of the law nor does it constitute an opinion of any Norton Rose Fulbright entity on the points of law discussed. You must take specific legal advice on any particular matter which concerns you. If you require any advice or further information, please speak to your usual contact at Norton Rose Fulbright. 28
  • 29. What’s up eDoc?: A Privacy Primer for Health IT at MaRS HIPAA and State Laws Kimberly J. Gold September 30, 2015
  • 30. Bio Kimberly Gold is a Senior Associate in Norton Rose Fulbright's New York Office. Her practice focuses on healthcare transactions, regulatory compliance, and privacy and security matters. Kimberly has extensive experience in the areas of privacy, information security, cybersecurity and information management. She regularly advises clients on matters involving privacy and security of patient information under HIPAA and state laws. She also represents clients in the health information technology area and has counseled pharmaceutical and mobile app companies on privacy and FDA regulatory issues. Kimberly is currently working on-site with the Global Privacy Office of a global pharmaceutical company on various legal matters, including negotiating vendor agreements, providing advice on marketing and clinical trial initiatives, and developing privacy notices, consent documents, and internal policies. Kimberly's transactional experience includes mergers and acquisitions, joint ventures, and affiliations of hospitals, group practices and other provider entities. She also represents not-for-profit and tax-exempt organizations on a broad range of matters, and regularly advises clients on issues relating to accreditation by the Accreditation Council for Graduate Medical Education (ACGME) and the Liaison Committee on Medical Education (LCME). Kimberly is a frequent writer and speaker on privacy and health care issues. She has appeared before the American Bar Association, American Health Lawyers Association and New York State Bar Association, speaking on topics such as health information technology, HIPAA compliance, and data breaches. Kimberly also has written articles about breach notification requirements and state privacy laws for national publications, including the American Journal of Health-System Pharmacy and HCCA Compliance Today. Kimberly is a Certified Information Privacy Professional (CIPP/US) through the International Association of Privacy Professionals. 30 Kimberly Gold Senior Associate Norton Rose Fulbright New York +1 212 318 3103 kimberly.gold@nortonrosefulbright.com
  • 31. Agenda • Overview of HIPAA • Terms and Definitions •  Protected Health Information (PHI) •  Covered Entity •  Business Associate • Core Privacy and Security Requirements •  Business Associate obligations 31
  • 32. What is HIPAA? HIPAA Security Rule establishes standards for protection of PHI 32 HIPAA Privacy Rule defines and limits circumstances in which protected health information (PHI) can be used and disclosed Consists of the Privacy Rule and Security Rule. A law enacted by U.S. Congress in 1996
  • 33. What is HIPAA (cont’d)? • In general, HIPAA permits covered entities to use and disclose protected health information for their own treatment, payment and health care operations purposes. • Specific patient authorization is required for use/disclosure for other purposes. 33
  • 34. Three Subsets of the HIPAA Rules Enforcement Rule •  Compliance & Enforcement •  Civil Monetary Penalties Security Rule •  Administrative, Physical and Technical Safeguards •  Breach Notification Privacy Rule •  Uses and Disclosures of PHI •  Requirements for interacting with patients 34
  • 35. What is HITECH? • The Health Information Technology for Economic and Clinical Health Act (HITECH) was passed in 2009 as part of the American Recovery and Reinvestment Act (ARRA), the “stimulus bill.” • US $20 billion+ in incentives to encourage doctors and hospitals to use HIT • Recently updated provisions apply to digital data. 35
  • 36. HIPAA Omnibus Rule – 2013 Updates •  Important changes: •  Business Associates •  PHI Storage •  HITECH Breaches •  Penalties & enforcements 36
  • 37. What is a HIPAA Covered Entity? •  Covered Entities: •  Health Care Providers •  Health Care Clearinghouses •  Health Plans •  Business Associates of 1-3 above …That perform electronic transactions covered by HIPAA. 37
  • 38. What is Protected Health Information (PHI)? •  Protected Health Information (PHI): Medical records or other health information that: •  Identifies an individual •  Could be used to identify an individual •  Created or received by a HIPAA covered entity 38
  • 39. Protected Heath Information - Identifiers 39 •  Name •  Social Security Number •  Driver’s License or other government- issued identification number •  Telephone/Fax Number •  Email Address •  Geographic Subdivision Smaller Than States (such as street address, city, county, and 5-digit ZIP code) •  Certificate/License Number •  Financial Account Number (such as bank accounts and payment card accounts) •  Medical Record Number •  Health Plan Beneficiary Number •  IP Address •  URL •  Dates Directly Related to Individuals (such as date of birth, date of death, admission and discharge date, and any age over 89) •  Biometric Identifiers (including fingerprints and voice prints) •  Device Identifiers •  Vehicle Identifiers and Serial Numbers (including license plate numbers) •  Full-face Photographs (or comparable images) •  Other individually identifiable code or number
  • 40. De-identified information • PHI may be de-identified by removing all details that could reasonably be used to identify an individual. • De-identification can be accomplished by: •  Removing all individually identifiable information listed above; or •  Acquiring certification from a qualified statistician that information cannot be re-identified. • Vendors may seem to use de-identified information for own purposes. The data may be used for comparative effectiveness studies, policy assessments, and other endeavors. 40
  • 41. What is a Business Associate? •  A person or entity that performs or assists a covered entity with functions that involve the use or disclosure of protected health information. • Examples: –  Cloud vendors –  Providers of data transmission services –  Subcontractors of Business Associates •  HIPAA requires covered entities to enter into agreements with Business Associates, called Business Associate Agreements. •  Covered entities can be held liable for HIPAA violations by Business Associates in some cases. •  Where a vendor is acting as a Business Associate, the vendor is directly liable for compliance with many aspects of the Privacy rule, and all of the Security Rule. 41
  • 42. Are you a Business Associate? • In the course of business, is PHI: • Created • Received • Maintained • Transmitted • For or on behalf of a covered entity? 42 Are you a BA?
  • 43. What are Business Associates Liable for? • HITECH breaches • Failure to provide breach notification to the covered entity • Failure to provide electronic access to PHI • When requested by the individual • When requested by the Covered Entity • Failure to provide an accounting of disclosures • …and more • PLUS, contractual liability for breaches of Business Associate Agreements • BAAs contain terms and conditions for access and use of PHI. 43
  • 44. Is Patient Data Secure on the Cloud? • When electronic PHI (ePHI) is stored/ maintained in the cloud: • Healthcare Providers/Covered Entities are “disclosing it” to the cloud vendor • Cloud vendor becomes a business associate • Cloud vendor must comply with HIPAA and HITECH provisions • Challenges when cloud provider does not know what data it is maintaining 44
  • 45. The HIPAA Security Rule • Establishes safeguards to ensure the confidentiality, integrity and security of ePHI •  Administrative safeguards •  Physical safeguards •  Technical safeguards 45
  • 46. Security Rule Safeguards • Administrative Safeguards •  Security management processes •  Staff training •  Information access management •  Contingency plan • Physical Safeguards •  Facility access controls •  Workstation security measures •  Workstation use policies • Technical Safeguards •  Access controls •  Audit controls •  Integrity controls •  Transmission security measures 46
  • 47. Data Breaches •  A data breach is any acquisition, access, use, or disclosure of PHI in a manner not permitted by the HIPAA Privacy Rule, whether internal or external •  Does not have to result in confirmed identity theft before legal obligations are triggered 47
  • 49. What to do? •  Risk analysis •  Risk management program •  Security official •  Policies & procedures •  Employee training •  Subcontractor BAAs •  Document compliance •  NOTE: No HITECH mandate that data be encrypted. •  But penalties for breaches can be avoided if data is strongly encrypted. 49
  • 50. HIPAA and Mobile Devices •  HIPAA applies to any mobile device that receives, transmits, or stores PHI. •  OCR and ONC suggest measures to ensure that PHI is secure on mobile devices: •  Use a password or other user authentication. You can also activate a screen lock after the device has not been used for a period of time. •  Install or enable encryption. •  Install or activate remote wiping and/or disabling. •  Disable or do not use file-shared applications. •  Install or enable firewalls. •  Install or enable security software. •  Keep your security software up to date. •  Research apps before downloading. •  Maintain physical control. •  Use adequate controls when using Wi-Fi. •  Delete all stored PHI before reusing or discarding a device. 50
  • 51. What happens if I don’t comply with HIPAA? • Civil and Criminal Penalties • HITECH Breaches: • US $50,000 per violation • US $1.5 million for multiple identical violations • No defense based on lack of knowledge • Mandatory HITECH audit program 51
  • 52. HITECH Breaches: How Much Will It Cost You? 52 Violation was not known and could not have been discovered with reasonable diligence   $1,500,000   Potential Penalty Per Violation   Degree of Culpability / “State of Mind”   Maximum Annual Cap for All Violations   $1,500,000   $1,500,000   $1,500,000   $100 – $50,000   $1,000 – $50,000   $10,000 – $50,000   $50,000   Reasonable cause for violation, not due to willful neglect   Violation due to willful neglect, but corrected in 30 days   Violation due to willful neglect, not corrected in 30 days  
  • 53. HIPAA Violations: Criminal Penalties 53 Violation involving False Pretenses   $50,000 fine/ 1 year imprisonment  Knowing violation   $100,000 fine/ 5 years imprisonment   $250,000 fine/ 10 years imprisonment   Violation involving intent to sell, transfer or use  
  • 54. OCR Enforcement Results by Year YEAR NO VIOLATION RESOLVED AFTER INTAKE AND REVIEW CORRECTIVE ACTION OBTAINED TOTAL RESOLUTIONS Partial Year 2003 5% 78% 17% 1516 2004 7% 71% 22% 4799 2005 11% 68% 21% 5692 2006 14% 62% 24% 6599 2007 10% 69% 21% 7238 2008 13% 63% 24% 9341 2009 15% 59% 26% 8106 2010 17% 54% 29% 9189 2011 16% 53% 31% 8363 2012 10% 54% 36% 9408 2013 7% 69% 24% 14300 54
  • 55. What We’ve Learned from OCR Resolution Agreements 55 • OCR is monitoring breach notification reports. • No one is immune from enforcement. • Heavy emphasis on performance of thorough security risk analysis and identification of vulnerabilities. • Having policies and procedures in place is critical…so is following them. • Workforce must be trained. • If devices and equipment aren’t encrypted, you need to document why.
  • 56. State Laws • Some state health information laws are stricter than HIPAA. – For example, California’s Confidentiality of Medical Information Act (CMIA). • A majority of states (47/50) have enacted data breach notification laws. 56
  • 58. Disclaimer Norton Rose Fulbright US LLP, Norton Rose Fulbright LLP, Norton Rose Fulbright Australia, Norton Rose Fulbright Canada LLP and Norton Rose Fulbright South Africa Inc are separate legal entities and all of them are members of Norton Rose Fulbright Verein, a Swiss verein. Norton Rose Fulbright Verein helps coordinate the activities of the members but does not itself provide legal services to clients. References to ‘Norton Rose Fulbright’, ‘the law firm’ and ‘legal practice’ are to one or more of the Norton Rose Fulbright members or to one of their respective affiliates (together ‘Norton Rose Fulbright entity/entities’). No individual who is a member, partner, shareholder, director, employee or consultant of, in or to any Norton Rose Fulbright entity (whether or not such individual is described as a ‘partner’) accepts or assumes responsibility, or has any liability, to any person in respect of this communication. Any reference to a partner or director is to a member, employee or consultant with equivalent standing and qualifications of the relevant Norton Rose Fulbright entity. The purpose of this communication is to provide general information of a legal nature. It does not contain a full analysis of the law nor does it constitute an opinion of any Norton Rose Fulbright entity on the points of law discussed. You must take specific legal advice on any particular matter which concerns you. If you require any advice or further information, please speak to your usual contact at Norton Rose Fulbright. 58