Indiana Security & Privacy Network

General Information

Nov 18, 2013

HIPAA Risk Assessment Panel Discussion
Pondurance panel


Nov 18, 2013

Meaningful Use and Audit Potential
Speaker: IU Health’s Kathy Mathena


Nov 14, 2013

Security Update – InSPN Tech Fair 11/14/13
Speaker: Mark Clausman

See Mark Clausman’s security news updates including the Fall 2013 CryptoLocker outbreak, XP end-of-life security issues, and an update on OCR HIPAA audits for 2014.


August 8, 2013

HIPAA Auditee Perspective
Speaker: Frank Ruelas
Gila River Health Care was one of the 115 Covered Entities that was audited by KPMG in 2012 and Frank Ruelas was (and is still) their Privacy Officer who handled the response.

August 8, 2013

Mobile Device Security Special Interest Group
Speaker: Rick Clark

Rick Clark, Onatrio Systems and Jerod Brennen with Jacadis presented some great information about risks of mobile devices and what you can do to minimize them. see Rick’s presentation attached (and other listing for Jerod’s)


August 8, 2013

Mobile Device Security Special Interest Group
Speaker: Jerod Brennen

Rick Clark, Onatrio Systems and Jerod Brennen with Jacadis presented some great information about risks of mobile devices and what you can do to minimize them. see Jerrod’s presentation attached (and other listing for Rick’s)


August 8, 2013

Legal Update
Speaker: Mark Swearingen

See Mark’s latest information about * HIPAA Enforcement Statistics * Regulatory Developments * Interesting Cases


August 8, 2013

HIPAA Privacy, Security and Breach Notification
Speaker: Jaime Pego

Jaime Pego from KPMG discussed the HIPAA Audits from the Auditor’s perspective and presented information about their findings.


March 15, 2013

From HITECH to High Risk HIPAA Compliance After the Final Rule
Speakers: Elizabeth Callahan-Morris, Esq. and Mark J. Swearingen, Esq.


March 13, 2013

Upcoming Conference Safeguarding Health Information: Building Assurance through HIPAA Security – 2013


Jan 25, 2013

Sample Business Associate Agreement


Jan 17, 2013

HHS Announces New rule protects patient privacy, secures health information

Enhanced standards improve privacy protections and security safeguards for consumer health data The U.S. Department of Health and Human Services (HHS) moved forward today to strengthen the privacy and security protections for health information established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The final omnibus rule greatly enhances a patient’s privacy protections, provides individuals new rights to their health information, and strengthens the government’s ability to enforce the law. Much has changed in health care since HIPAA was enacted over fifteen years ago, said HHS Secretary Kathleen Sebelius. The new rule will help protect patient privacy and safeguard patients health information in an ever expanding digital age. The changes in the final rulemaking provide the public with increased protection and control of personal health information. The HIPAA Privacy and Security Rules have focused on health care providers, health plans and other entities that process health insurance claims. The changes announced today expand many of the requirements to business associates of these entities that receive protected health information, such as contractors and subcontractors. Some of the largest breaches reported to HHS have involved business associates. Penalties are increased for noncompliance based on the level of negligence with a maximum penalty of $1.5 million per violation. The changes also strengthen the Health Information Technology for Economic and Clinical Health (HITECH) Breach Notification requirements by clarifying when breaches of unsecured hea lth information must be reported to HHS. Individual rights are expanded in important ways. Patients can ask for a copy of their electronic medical record in an electronic form. When individuals pay by cash they can instruct their provider not to share information about their treatment with their health plan. The final omnibus rule sets new limits on how information is used and disclosed for marketing and fundraising purposes and prohibits the sale of an individuals health information without their permission. This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented, said HHS Office for Civil Rights Director Leon Rodriguez. These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates. The final rule also reduces burden by streamlining individuals ability to authorize the use of their health information for research purposes. The rule makes it easier for parents and others to give permission to share proof of a child’s immunization with a school and gives covered entities and business associates up to one year after the 180-day compliance date to modify contracts to comply with the rule. The final omnibus rule is based on statutory changes under the HITECH Act, enacted as part of the American Recovery and Reinvestment Act of 2009, and the Genetic Information Nondiscrimination Act of 2008 (GINA) which clarifies that genetic information is protected under the HIPAA Privacy Rule and prohibits most health plans from using or disclosing genetic information for underwriting purposes. The Rulemaking announced today may be viewed in the Federal Register at https://www.federalregister.gov/public-inspection.


Aug 15, 2012

2012 HIPAA Privacy and Security Audits
Speaker: Linda Sanches


Aug 15, 2012

HHS/OCR HIPAA Audit Protocol

Audit Protocol: The OCR HIPAA Audit program analyzes processes, controls, and policies of selected covered entities pursuant to the HITECH Act audit mandate. OCR established a comprehensive audit protocol that contains the requirements to be assessed through these performance audits. The entire audit protocol is organized around modules, representing separate elements of privacy, security, and breach notification. The combination of these multiple requirements may vary based on the type of covered entity selected for review. •The audit protocol covers Privacy Rule requirements for (1) notice of privacy practices for PHI, (2) rights to request privacy protection for PHI, (3) access of individuals to PHI, (4) administrative requirements, (5) uses and disclosures of PHI, (6) amendment of PHI, and (7) accounting of disclosures. •The protocol covers Security Rule requirements for administrative, physical, and technical safeguards •The protocol covers requirements for the Breach Notification Rule.


Jun 7, 2012

NIST/OCR Meeting June 6 & 7

Safeguarding Health Information: Building Assurance through HIPAA Security – see MORE to get to video files of presentations BELOW IS THE AGENDA Wednesday, June 6 (Day 1): 9:00-9:15 Welcome and Logistics David Holtzman, OCR and Kevin Stine, NIST 9:15-9:30 Leadership Remarks Matt Scholl, Deputy Chief, Computer Security Division, NIST 9:30-10:15 Risk Management Framework: Privacy Controls Dr. Ron Ross, NIST 10:30-11:15 Beyond HIPAA: The FTC Privacy Report Cora Tung Han, FTC 11:15-12:15 Establishing an Access Auditing Program Cindy Matson, Sanford Health System 1:15-2:00 View From the Cloud: Security Assurance Considerations for a Purchaser Mac McMillan, HIMSS; and Vince Campitelli, Cloud Security Alliance 2:00-2:45 HHS/ONC Overview Joy Pritts, Chief Privacy Officer, Office of the National Coordinator 3:00-4:00 (Breakout A-1 Session) Security of Mobile Devices Lisa Gallagher, HIMSS 3:00-4:00 (Breakout B-1 Session) Security of Health Information When Maximizing Accessibility and Usability Matt Quinn, NIST, and David Baquis, US Accessibility Board 4:05-4:50 (Breakout A-2 Session) ONC Mobile Device Project David Shepherd, LMI 4:05-4:50 (Breakout B-2 Session) Integrity Protections Dan Rode, AHIMA Thursday, June 7 (Day 2): 9:00-9:30 The Convergence of Privacy and Security in Protecting Health Information Leon Rodriguez, Director, OCR 9:30-10:30 OCR Audit Program Linda Sanches, OCR 10:45-11:45 HIPAA Security Rule Toolkit Use Case Sue Miller, WEDI Security and Privacy Workgroup; Jim Sheldon-Dean, Lewis Creek Systems, LLC and Sherry Wilson, Jopari Solutions 1:00-2:00 Federal Data Breach Response of Health and Consumer Protected Information David Holtzman, OCR, and Alain Sheer, FTC 2:00-3:00 Data Breach Strikes Gerard Stegmaier, Wilson, Sonsini, Goodrich & Rosati; and Paul Luehr Stroz Friedberg 3:15-4:00 Security Testing and Assessment Methodologies Karen Scarfone, Scarfone Cybersecurity; and Richard Metzer, D.Sc. CISSP, Lockheed Martin 4:00-4:45 Meaningful Use Crosswalk to the Security Rule Adam Greene, Davis Wright Tremaine LLP


Apr 10, 2012

HHS Audit questions used in the Piedmont Hospital Audit in 2007

To get an idea of what might be expected in an audit of a healthcare provider take a look at the information that was requested previously.


Dec 1, 2011

The NIST HIPAA Security Toolkit Application

HIPAA Security Rule Toolkit The NIST HIPAA Security Toolkit Application is intended to help organizations better understand the requirements of the HIPAA Security Rule, implement those requirements, and assess those implementations in their operational environment. Target users include, but are not limited to, HIPAA covered entities, business associates, and other organizations such as those providing HIPAA Security Rule implementation, assessment, and compliance services. Target user organizations can range in size from large nationwide health plans with vast information technology (IT) resources to small health care providers with limited access to IT expertise.

Resource Links:
http://scap.nist.gov/hipaa/
http://scap.nist.gov/hipaa/NIST_HSR_Toolkit_Installation_Guide.pdf
http://scap.nist.gov/hipaa/NIST_HSR_Toolkit_User_Guide.pdf


Nov 28, 2011

Security Update
Speaker: Mark Clausman

News about recent data security breaches including a data breach involving nearly 5 million people treated at military healthcare facilities and the recent Facebook spam attack.


Nov 21, 2011

InSPN Meeting of Nov 17 – Legal Update
Speaker: Mark Swearingen

** HIPAA Enforcement Statistics ** Breach Notification Rule (through November 17, 2011) ** In the Media/Updates ** HITECH Regulations ** Proposed Rule CLIA Program and HIPAA Privacy Rule ** HIPAA Audits **


Nov 21, 2011

InSPN Meeting of Nov 17 – Privacy Update
Speaker: Wendy Mangin

Many items about recent privacy issues.


Nov 21, 2011

InSPN Meeting of November 17 – IT Security Agreements
Speaker: Jeffrey W. Short


Aug 18, 2011

InSPN Meeting  (OCR) HIPAA Update
Speaker: David Mayer


May 30, 2011

OCR link to information about Enforcement Issues

HIPAA Enforcement HHS’ Office for Civil Rights is responsible for enforcing the Privacy and Security Rules. Enforcement of the Privacy Rule began April 14, 2003 for most HIPAA covered entities. Since 2003, OCR’s enforcement activities have obtained significant results that have improved the privacy practices of covered entities. The corrective actions obtained by OCR from covered entities have resulted in systemic change that has improved the privacy protection of health information for all individuals they serve. HIPAA covered entities were required to comply with the Security Rule beginning on April 20, 2005. OCR became responsible for enforcing the Security Rule on July 27, 2009.


May 20, 2011

Summary of the HIPAA Security Rule

This link leads to a summary of key elements of the Security Rule including who is covered, what information is protected, and what safeguards must be in place to ensure appropriate protection of electronic protected health information. Because it is an overview of the Security Rule, it does not address every detail of each provision.


May 5, 2011

WEDI – Workgroup for Electronic Data Interchange Link

The Workgroup for Electronic Data Interchange (WEDI) was established in 1991 in response to a challenge from then Secretary of Health and Human Services, Louis Sullivan, MD. The challenge was to bring together a consortium of leaders within the healthcare industry to identify practical strategies for reducing administrative costs in healthcare through the implementation of EDI. WEDI quickly became a major advocate in promoting the acceptance and implementation of the standardization of administrative and financial health care data. WEDI continued its EDI advocacy and helped secure passage of the Health Insurance Portability and Accountability Act (HIPAA) in 1996. WEDI’s unique position and influence was acknowledged in its designation in the HIPAA legislation as an advisor to the Secretary and as a facilitator of industry consensus on the implementation and fulfillment of this mandate. Today, WEDI’s membership includes providers, health plans, consumers, vendors, government organizations, and standards groups committed to the implementation of electronic commerce in healthcare and EDI standards for the healthcare industry. Regulatory officials from the Centers for Medicare & Medicaid Services, Health and Human Services, Office of Civil Rights and other government entities attend and participate in WEDI forums to benefit from the alternative approaches and consensus-based recommendations generated by the industry representatives. WEDI provides a broad-based interactive forum for healthcare executives, managers and advisors to utilize in addressing the business issues and policy formulation critical to their industry.


Sep 11, 2009

HIPAA Privacy & Security Rules in a HITECH World – 8/20/09
Speaker: Susan McAndrew


Jun 23, 2008

CMS/HHS – Links to information about HIPAA (Privacy, Security & Transactions)

The Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA, Title II) required the Department of Health and Human Services (HHS) to establish national standards for electronic health care transactions and national identifiers for providers, health plans, and employers. It also addressed the security and privacy of health data. As the industry adopts these standards for the efficiency and effectiveness of the nation’s health care system will improve the use of electronic data interchange.


Jun 21, 2008

Links to Government Regulations

The ITpolicycompliance.com web site is dedicated to promoting the development of research and information that will help IT security professionals meet the policy and regulatory compliance goals of their organizations. Specifically, this site focuses on assisting organizations to improve compliance results by providing reports based on primary research as well as other related information and resources.


Jun 20, 2008

International Association of Privacy Professionals

IAPP Resource Section – Here you will find privacy resources to help you prepare for CIPP certification, advance your privacy career and research the ever-changing privacy landscape. Links to : (1) Career Center 2) The Privacy Advisor Archives (3) CIPP and CIPP/G Certification Resources (4) Salary Surveys: (5)Privacy Links: (6) Privacy Blogs (7) IAPP Privacy Bootcamp Workshop (8) Data Privacy Day


Jun 20, 2008

State Laws regarding Breach Notification

Summary of State Security Freeze and Security Breach Notification Laws


Apr 25, 2008

New OCR Website about Enforcement Activities

On April 20, 2007 the Department of Health and Human Services launched an enhancement to its website to facilitate dissemination of information related to enforcement of the Privacy Regulations.