Regulatory Requirements Part 1

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Course
Time
5 hours 25 minutes
Difficulty
Intermediate
CEU/CPE
6
Video Transcription
00:00
Hello and welcome back to the H C I s P p certification course with Sai Buri regulatory requirements. Part one.
00:08
My name is Shalane Hutchins and I'll be your instructor for today.
00:14
Today we're gonna talk about legal issues,
00:17
physical security, regulation commitments,
00:20
data breach regulations and jurisdiction implications.
00:25
These next modules are some of the most significant areas for the certification examination and we'll be discussing them at a high level. Please refer to the supplemental materials for further study.
00:40
As we've discussed thus far, Hip is the most important health care information regulation
00:46
in the United States.
00:48
Health care organizations need to ensure compliance with regulations and guidelines for archiving and retaining Elektronik Communications,
00:58
patient confidentiality and potential malpractice litigation make it particularly important for health care organizations to ensure network security and compliance.
01:08
Although HIPPA covers many things,
01:11
positions typically are more concerned with hippos, administrative simplification provisions
01:18
and particularly the privacy, security and breach notification requirements.
01:25
The specificity of the requirements go well beyond traditional self evident obligations, and violations can result in serious penalties.
01:34
Health care organizations should note that hip is considered the floor, meaning states may have requirements that go above and beyond what the federal government requires.
01:51
We discussed in previous modules, um, the American Recovery and Reinvestment Stimulus Bill
01:57
of the High Tech Act of 2009
02:00
which included the final Breach notification rule, which imposes sweeping obligations on certain entities that manage personally identifiable health information
02:12
while the Previa. While the provisions generally follow the same things as state notification laws,
02:19
the high tech acts data breach requirements contained several critical distinctions.
02:24
A breach is defined under high tech as the unauthorized acquisition, access, use or disclosure of ph. I or protected health information.
02:36
Under the federal law, the unauthorized use or disclosure of pH I constitutes a notifiable event.
02:44
For example, if an authorized user
02:46
someone who has authorization to use the data,
02:51
discusses the data in an unexpected or inappropriate way,
02:55
such as
02:57
talking on an elevator around people who could over hear the conversation,
03:01
the organization would be required to comply with the breach notification requirements.
03:10
Countries around the world are stepping up to the problem of a volatile and dangerous Internet environment and crafting laws and regulations that require the protection of personally identifiable information.
03:24
Canada's
03:25
Personal Information Protection and Electronic Documents Act
03:30
and the European Union Unions Directive 2009 slash 1 36 slash e c.
03:38
Require protections within the organisations performing medical services for patients when collecting,
03:45
storing sharing in transmitting data across networks toe other organizations.
03:51
So it's important to understand these international standards if you're transferring data across international borders.
04:01
For the most part, all privacy and security regulations require the same commitment.
04:09
Personal health care data must be collected for a specific purpose.
04:13
You cannot use the data outside of that purpose.
04:15
Information must be isolated from persons not authorized to see or use the data.
04:21
Minimal use
04:24
information must be deleted at an appropriate time after it's used for a state of purpose.
04:30
And financial penalties may be collected for failure to protect the information appropriately, meaning you could be sued.
04:39
Other specifics may include identifying and defining relationships between under age or incompetent persons and their parents, guardians or caregivers who may make health care decisions
04:54
defining the period of time Information is preserved
04:59
and description of the permissions process for sharing or transmitting data toe. Others beyond the original organization,
05:06
so these
05:09
commitment should be in place should be documented, should be melted and probably should be audited
05:15
on a periodic basis to ensure that the controls are in place and operating as intended.
05:27
The definition of a data breach is the impermissible use or disclosure of protected health information that compromises the security or the privacy of the data.
05:39
As with any other incident,
05:41
organizations must respond initially and seek to identify the specific details about the data or information in question.
05:49
This means the incident response plan and procedures must account for breach responses.
05:56
As you'll study in some supplemental materials, there's a four part determination to identify whether or not an incident materializes to a reportable data breach.
06:09
The major distinction of a breach is that it involves protected health information,
06:14
and the consequences may be significant in terms of financial penalties and lawsuits from those
06:19
whose data was the schools, as well as an immeasurable reputational damage to the organization.
06:31
The U. S. Department of Health and Human Services were HHS has it increased the civil monetary penalties for HIPPA violations in accordance with the inflation adjustment.
06:44
The Inflation Adjustment Act final rule was effective on January 15 of 2020.
06:49
The increased penalty levels apply to any penalties. Assess after January 15 2012.
06:58
The Notice of Enforcement Discretion,
07:00
announced on April 30 2019
07:03
cap the maximum annual penalties at $10,000 for 10 tier one
07:11
$100,000 for tier two,
07:14
$250,000 for Tier three
07:16
in $1.7 million for Tier four.
07:20
The maximum penalty for HIPAA violation in the highest tier remained at 1.7 million per violation category per year.
07:30
Prior to the review,
07:31
the maximum HIPAA violation penalty was 1.7 million in all four penalty tears.
07:39
So the tears Aarhus follows.
07:41
Tier one violation is when the covered entity did not know and could not reasonably have known about the breach.
07:48
Tier two is the covered entity knew or would have known by exercising reasonable diligence.
07:56
They'll did not act with willful neglect,
07:59
so they may have had some controls in place. They may have had some policies and procedures, and they didn't do anything on purpose.
08:07
Tier three is the cover entity, acted with wilful neglect and corrected the problem within a 30 day time frame.
08:15
So
08:16
they just didn't put procedures in place. They didn't have controls in place. They weren't even trying to protect the data,
08:22
and then they fixed it within 30 days. That's tear Khoury,
08:26
Tier four
08:26
is the covered entity, acted with wilful neglect and failed to make timely correction. So not only did they not have controls, but they didn't even try to fix it.
08:37
So that's the tear for violation.
08:41
Depending upon the circumstances. Individuals who data was disclosed may seek additional compensation through the courts, which could be significant depending upon the member of individuals involved.
08:56
Historically, many state governments had laws for privacy and security of personal health data that different from one another.
09:05
This often resulted in conflicts when the protection schemes different between organizations where they were in two different states.
09:13
One of the main efforts to resolving this difference was Dorsa the data used in reciprocal support agreement.
09:20
Darcel was developed by the Office of National Coordinator for Health I T. O. N. C.
09:26
In the U. S. Department of Health and Human Services. The HHS,
09:31
Dir says, seeks to provide a framework that ensures protection for health information data exchanges. This will be on the exam,
09:45
so today we discuss legal issues,
09:48
physical and security commitments,
09:50
data breach regulations, and jurisdiction implications and regulatory requirements. As a reminder. Please review the supplemental materials for this module to help you prepare for the exam.
10:03
Take care and see in the next video.
Up Next
HCISPP

This HCISPP training provides students with the knowledge and skills to successfully pass the certification test needed to become a healthcare information security and privacy practitioner. The course covers all seven domains included on the exam.

Instructed By