HCISPP

Course
Time
5 hours 25 minutes
Difficulty
Intermediate
CEU/CPE
6

Video Transcription

00:00
Hello again and welcome to the Hcs PP certification course with Sai Buri handling sensitive data.
00:08
I'm shelling Hutchins, your instructor today.
00:13
In this video, we will covered data classification and despair. It data
00:19
personal and health information protected by law
00:22
sensitivity mitigation
00:24
and categories of sensitive data.
00:30
The primary purpose of data classification is to indicate the level of confidentiality, integrity and availability that is required for each type of information
00:41
it involves. Recognising what information is critical toe, help your organization and assigning value to it.
00:49
The goal of classifying data organizes it according to its sensitivity, toe loss or disclosure.
00:57
Each sense of classification should have separate handling requirements and procedures pertaining to how data is access
01:04
used and destroy.
01:07
To properly implement data classification, the health care organization must first decide upon the sensitivity scheme they're going to use.
01:18
Health care organizations generate an increasing amount of disparity data from heterogeneous sources provided on different platforms by different vendors. For example, through e prescribing, Elektronik medical records, digital imaging scans, pharmacy data
01:38
lab data
01:38
insurance claims, data and regional health information exchanges are all examples of disparity data.
01:47
Dispirit data can be categorized by three major problems.
01:51
The data exists in silos, meaning there is no single source of truth or single inventory for all of the data. The data is highly redundant throughout the organization, meaning the same data exists in several systems and files better not leave
02:07
and number three. The data is variable in format and content.
02:12
When information isn't standardized, the organization cannot combine data, sets or compare them, either internally or externally.
02:23
As previously discussed in regulatory requirements. The HIPAA privacy rule protects most individually identifiable health information held or transmitted by covered into T or its business associate in any former medium. Whether Elektronik
02:40
on paper or
02:44
the privacy rule caused this information protected health information or pH.
02:51
Ph. I relates to the individuals past, present or future physical or mental health
02:58
or condition.
02:59
The provision of health care to the individual
03:02
and the past, Present or future payment for the provision of health care to the individual and that identifies the individual or
03:12
for which there is a reasonable basis to believe
03:15
uh can be used to identify the individual.
03:20
Protected health information includes many common identify IRS as previously discussed in the regulatory module, the name, address, birth date Social Security number,
03:32
etcetera
03:34
when they could be associate it with health information. Just mentioned earlier
03:43
hip addresses. Privacy Concerns of health information systems by enforcing data exchange standards as well as a guideline to analyze risk.
03:53
The overall objective of a hipper risk analysis is to document the potential risks and vulnerabilities related to confidentiality, integrity and availability of Elektronik ph. I.
04:08
And to determine the appropriate mitigation safeguards to bring the level of risk to an acceptable and manageable level.
04:16
Two. Methods for preventing unintentional disclosure ph i
04:21
are the identification
04:24
An anonymous ation.
04:26
There are two methods for D identifying data.
04:29
The expert determination
04:31
in safe harbor
04:35
Expert determination is used to identify the level of risk that the information can be used alone
04:43
or in combination with ever information toe. Identify an individual using very statistical methodologies.
04:50
Please note that on the issue of who is an expert, the OCR advises that there is no success specific or require professional degree or certification for a person to be an expert at determining whether pH. I is de identified.
05:08
Experts may come from statistical, mathematical or other scientific fields
05:15
and may begin through various means of education and experience.
05:19
The OCR will consider the relevant professional experience and academic training of the expert using the methodology.
05:29
Safe harbor is the removal of certain identifiers
05:32
of the individual or relatives, employees or household members of the individuals
05:38
where the covered into T does not have actual knowledge
05:42
that the information could be used alone or in combination with other information toe. Identify the individual
05:49
who is the subject
05:50
of the information.
05:54
The OCR guidance state. That's the disclosure of parts or derivatives of the listed identify. IRS, such as the data set containing the patient's initials or the last four digits of a Social Security number, is not consistent with the safe harbor method.
06:12
Additionally,
06:13
dates that include the day month in any other form more specific than the year of uneven are not permitted under safe harbor
06:26
data. Demonisation is the process of destroying tracks or the electronic trail on the data that would lead an eavesdropper to its origins, and electronic trail is the information that is left behind. Once someone sends data over a network,
06:42
forensic experts can file the data to figure out who sent it.
06:46
This is often done in criminal cases but sometimes company used similar techniques in order to track user data.
06:56
This may be a concern to people who value their privacy and makes a good case for using data. A modernization techniques.
07:03
One aspect of a novelization that may worry individuals who value their privacy is that the process can be reversed.
07:12
Many current techniques associated with anonymous ation
07:15
can be bypassed is there are many ways to reveal strip pH. I from data sets. One way this information can be rebuild its with cross referencing any sets of records still available. This is called de anonymized.
07:30
There are limitations to a monetization approaches
07:32
data aggregation, data mining and predictive analysis.
07:36
All have their limitations. Um,
07:41
for data for data anonymous ization.
07:47
HIPPA has extended the medical information category to include mental health information from past, present or future mental or physical health, including all written any electronic record. It even extends to payment for services rendered.
08:03
Federal on regulations protect the confidentiality of alcohol and drug abuse, patient records maintained by a program
08:13
under HIPPA health insurance. Health insurers cannot consider pregnancy a preexisting condition, so health insurers cannot deny coverage when a pregnant woman goes from one job to another and switches health planes before the Affordable Care Act, or Obamacare.
08:31
Women in this situation could be denied help here.
08:35
The Ryan White Comprehensive AIDS Resource Emergency Act Care
08:41
grantees are funded in significant part by formula based grants that use disease data from the CDC to determine how the funds will be allocated.
08:52
The personal health information held by many Ryan like grantees has long been covered by a diversity of state confidentiality laws and in many cases is now covered by privacy protections of hip.
09:05
HIPPA covers air wide a range of services in support of health care, including information such as legal actuarial, accounting, consulting
09:16
and financial.
09:18
In short, most everything can be tied to the business relationship of the health care
09:22
delivered
09:24
for DNA.
09:26
The most famous deal DNA database is Kotis.
09:30
A significant problem is that not all states and countries
09:33
have issued privacy legislation to protect teenage records.
09:37
On July 1st 2020 Florida became the first state to enact the DNA privacy law prohibiting insurers from genetic data.
09:46
The real concern is that individuals can be denied insurance or be charged increased premiums
09:52
and other costs based on DNA obtained or shared by popular companies like 23 Me or Ancestry DNA.
10:05
It's do analogy. Check.
10:07
What are the two methods for D Identifying data
10:18
Safe Harbor.
10:20
An expert determination.
10:24
Great job.
10:28
What is the process of destroying tracks or electronic trails that could lead to the origin of the date?
10:41
You guessed it anonymous ation.
10:46
Last question. True or false?
10:48
PH. I refers to an individual's past, present
10:52
or future physical or mental health or condition.
11:03
That answer is true.
11:05
Good job.
11:09
So we talked about a lot today.
11:11
We talked about data classification and despair. It data
11:15
personal and health information protected by the law,
11:18
sensitivity, mitigation and categories of sensitive data.
11:22
Remember to review the supplemental materials and flashcards for further study.
11:28
Next up is Module six Enterprise Risk Management. See you soon.

Up Next

HCISPP

The HCISSP certification course provides students with the knowledge and skills to successfully pass the certification test needed to become a healthcare information security and privacy practitioner. The course covers all seven domains included on the exam.

Instructed By

Instructor Profile Image
Schlaine Hutchins
Director, Information Security / Security Officer
Instructor