a their cyber re fans. Welcome back to the Hcs PP certification course with Sai Buri
International Regulations and Controls. My name is Shalane Hutchins and I will be your instructor
in this video. We're going to talk about treaties and laws and regulations.
This is not my area of expertise, so I'm going to give you the study book version of information.
Just know that some of this information about the specific treaties and regulations may be on the exam.
Since most countries craft privacy and security regulations for internally specific reasons, it's not surprising that the regulations different
to settle the differences. Sets of countries have collaborated on international agreements to bridge the differences in how personal information is protected.
The agreements we will discuss or targeted toward international business exchanges and do not specifically address exchanges among health care organizations.
The U. S. Use Safe harbor is a framework to allow US organizations to be in compliance with the European Union in Switzerland, data protection requirements when engaged in commerce transactions with member countries.
Specifically, there is a safe harbor framework between the US and the EU
and another framework between the US and Switzerland.
organizations seeking collaboration, and either or both
the U and Switzerland would be required to review and commit to each set of principles.
On February 4th 2011 by US Canada Joint Declaration, the beyond the Border action plan was announced.
It's a shared approach to security, in which both countries work together to address threats within at an away from the borders while expediting lawful trade and travel.
The Transatlantic Information Sharing and Data Privacy Act is an effort toe enable the U and the United States to work more closely and efficiently together to exchange law enforcement information while ensuring the protection of personal data privacy.
So we've reviewed thes several times throughout the course. The mills, important laws and regulations related to health care information within the U. S is HIPPA and high tech.
Hip hop is a federal law
that was enacted and has been furthered by the requirements of the Affordable Care Act of 2010 with operating rules for each of the hip A cover transactions.
They are a unique standard health plan identify
and the standard and operating rules for Elektronik funds transfer
and Elektronik Remittance advice and claims attaches.
In addition, health plans will be required to certify their compliance.
The act provides for substantial penalties for failures to comply with the new standards and upgrading rules.
I must note and take note of this that there is no such thing as a HIPPA certification.
There are companies that claim toe offer a certificate of HIPAA compliance, and it just simply doesn't exist
while companies need to certify that they're meeting the requirements. That just means that you
assess your own organization and assess your controls against the HIPPA regulations and standards.
Um, these these false certifications air the same things as companies offering a sock to certification.
Again, there's no such thing. Sock To is an audit report
to review service in controls for an organization and to give an independent opinion.
While organizations can assess their level of compliance, HIPPA has standards of controls that are addressable and some that are required.
Those that are required must be implemented by covered entities.
Addressable requirements may or may not be implemented according to their applicability.
ushered in an era of rapid Elektronik record adoption, but it also brought in new requirements for security privacy and specifically breach reporting.
The sculpt of covered entities was also clarified to include business associates such as billing providers, software companies and, in some cases, banks.
The breach notification rules of high tech are detailed and mandatory for covered entities.
Covered entities must maintain a log of all breaches and submit the law to the HHS.
They must notify individuals affected by a breach within 60 days.
Breaches involving more than 500 individuals must be reported to the HHS.
They must understand restrictions related to marketing activities. Using patient information
they must use and disclose the minimum necessary subject data. To conduct a particular function or task,
they must provide an electronic copy of a patient's health record. Upon request,
the provider may charge a fee for producing the copy.
They must mail first class letters to patients who might be affected by the breach.
One important safe harbor provision exists in the high tech back for encrypted information.
If the information breached was encrypted with certified Phipps 1 40 dash to encryption,
the breach does not have to be reported.
Breaches did not have to be disclosed if the information was exposed to an authorised recipient
and not further disclosed.
For instance, if a hospital faxes information to the wrong number,
but the wrong number was also a covered entity like another doctor's office.
That doctor's office is also covered by HIPPA
and that disclosure does not have to be reported to the HHS.
Pepita is the Canadian regulation.
Organizations covered by Pepita must generally obtain an individual's consent when they collect,
use or disclose that person's information.
GDP are is one of the more recent data protection regulations.
GDP are is a regulation in the European Union
on data protection and privacy in the U and the European Economic Area. It addresses the transfer of personal data outside of the U.
As an information security professional, you should be aware of other privacy and security regulations outside of healthcare, especially where aspects of the regulations may affect or relate to health care information protection regulations.
Here are a few examples of other industry specific laws.
is a unit of the U. S. Department of Labor and the dresses, safety and protection of workers in organizations that involve hazards and hazardous waste as potential sources of injuries and health related problems.
OSHA covers health care workers at hospitals and other medical facilities where exposures to chemicals or equipment could result in injuries or diseases.
The security standard is unique within this training and that it's the Onley standard that is the private industry sector standard as opposed to a government mandated regulation.
PC I targets merchants who accept
product and service payments from customers using specific credit cards.
Emergency air ranked by levels levels one through four based on the number of specific credit card transactions processed per year.
And each merchant is required to implement privacy and security programs to protect the financial information of customers with as much rigour and completeness as the health care standards provide. For Ph. I
health care organizations that allow credit card transactions for the payment services fall under PC Idea says compliance.
Such services provided by hospitals such as bill payments, pharmacy, laboratory, radiology services, food services, gift shops for all shops, etcetera may be covered by P. C. I.
Now f O I. A or Freedom of Information Act is primarily seen as a basis for obtaining federal stores of information that are seen as publicly accessible and is frequently used by private citizens for political or legal issues.
F o I. A. Offers very little to direct protection of pH I or P I I
that is not found in more appropriate regulations, but it is included here because it was actually one of the first U. S. Laws toe identify federal information that was not free to be distributed.
Wow. Congratulations. You made it through treaties, laws and regulations. I'll see in the next video.