Regulatory Requirements Part 1

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Course
Time
5 hours 25 minutes
Difficulty
Intermediate
CEU/CPE
6
Video Transcription
00:00
>> Hello and welcome back to
00:00
the HCISPP certification course with Cybrary,
00:00
regulatory requirements Part 1.
00:00
My name is Schlaine Hutchins,
00:00
and I'll be your instructor for today.
00:00
Today we're going to talk about legal issues,
00:00
physical security regulation commitments,
00:00
data breach regulations, and jurisdiction implications.
00:00
These next modules are some of
00:00
the most significant areas for
00:00
the certification examination, and
00:00
we'll be discussing them at a high level.
00:00
Please refer to the supplemental materials
00:00
for further study.
00:00
As we've discussed thus far,
00:00
HIPAA is the most
00:00
important healthcare information regulation
00:00
in the United States.
00:00
Healthcare organizations need to
00:00
ensure compliance with regulations and
00:00
guidelines for
00:00
archiving, and retaining electronic communications.
00:00
Patient confidentiality and
00:00
potential malpractice litigation make it
00:00
particularly important for healthcare organizations
00:00
to ensure network security, and compliance.
00:00
Although HIPAA covers many things,
00:00
physicians typically are more concerned with
00:00
HIPAA's administrative simplification provisions,
00:00
and particularly the privacy,
00:00
security, and breach notification requirements.
00:00
The specificity of the requirements go well
00:00
beyond traditional self-evident obligations,
00:00
and violations can result in serious penalties.
00:00
Healthcare organizations should note
00:00
that HIPAA is considered the floor,
00:00
meaning states may have requirements that go
00:00
above and beyond what the federal government requires.
00:00
We discussed in previous modules,
00:00
the American Recovery and Reinvestment stimulus bill
00:00
of the HITECH Act of 2009,
00:00
which included the final Breach Notification Rule,
00:00
which imposes sweeping obligations on
00:00
certain entities that managed
00:00
personally identifiable health information.
00:00
While the provisions,
00:00
generally follow the same themes
00:00
as state notification laws,
00:00
the HITECH Act's data breach requirements
00:00
contain several critical distinctions.
00:00
A breach is defined under
00:00
HITECH as the unauthorized acquisition,
00:00
access, use,
00:00
or disclosure of PHI, or protected health information.
00:00
Under the federal law,
00:00
the unauthorized use or disclosure of
00:00
PHI constitutes a notifiable event.
00:00
For example, if an authorized user,
00:00
someone who has authorization to use the data,
00:00
discusses the data in
00:00
an unexpected or inappropriate way, such as,
00:00
talking on an elevator around
00:00
people who could overhear the conversation,
00:00
the organization would be required to
00:00
comply with the breach notification requirements.
00:00
Countries around the world are stepping up to
00:00
the problem of a volatile
00:00
and dangerous Internet environment,
00:00
and crafting laws and regulations that require
00:00
the protection of personally identifiable information.
00:00
Canada's Personal Information Protection
00:00
and Electronic Documents Act and
00:00
the European Union's Directive 2009/136/EC require
00:00
protections within the organizations performing
00:00
medical services for patients when collecting,
00:00
storing, sharing, and transmitting
00:00
data across networks to other organizations.
00:00
It's important to understand
00:00
these international standards
00:00
if you're transferring data across
00:00
>> international borders.
00:00
>> For the most part,
00:00
all privacy and security regulations
00:00
require the same commitments.
00:00
Personal healthcare data must be
00:00
collected for a specific purpose.
00:00
You cannot use the data outside of that purpose.
00:00
Information must be isolated from persons not
00:00
authorized to see or use the data, minimum use.
00:00
Information must be deleted at
00:00
an appropriate time after it's use for
00:00
a stated purpose, and
00:00
financial penalties may be collected for
00:00
failure to protect the information appropriately,
00:00
meaning you can be sued.
00:00
Other specifics may include,
00:00
identifying and defining relationships between
00:00
under age or incompetent persons and their parents,
00:00
guardians or caregivers who
00:00
may make healthcare decisions.
00:00
Defining the period of time information is preserved,
00:00
and description of the permissions process
00:00
>> for sharing, or
00:00
>> transmitting data to others
00:00
beyond the original organization.
00:00
These commitments should be in place,
00:00
should be documented, should be noted,
00:00
and probably should be audited on
00:00
a periodic basis to
00:00
ensure that the controls are in place,
00:00
and operating as intended.
00:00
The definition of a data breach
00:00
is the impermissible use,
00:00
or disclosure of protected health information
00:00
that compromises the security,
00:00
or the privacy of the data.
00:00
As with any other incident,
00:00
organizations must respond initially, and seek to
00:00
identify the specific details
00:00
about the data or information in question.
00:00
This means the incident response plan and
00:00
procedures must account for breach responses.
00:00
As you'll study in some supplemental materials,
00:00
there's a four part determination to identify
00:00
whether or not an incident
00:00
materializes to a reportable data breach.
00:00
The major distinction of a breach is that it
00:00
involves protected health information and
00:00
the consequences may be significant in terms of
00:00
financial penalties and lawsuits
00:00
from those whose data was disclosed,
00:00
as well as in a immeasurable reputational damage
00:00
to the organization.
00:00
The US Department of Health and Human Services, or HHS,
00:00
has increased the civil monetary penalties for
00:00
HIPAA violations in accordance
00:00
with the Inflation Adjustment Act.
00:00
The Inflation Adjustment Act final rule was
00:00
effective on January 15th of 2020.
00:00
The increased penalty levels applied to
00:00
any penalties assessed after January 15, 2020.
00:00
The Notice of Enforcement Discretion
00:00
announced on April 30, 2019,
00:00
cap the maximum annual penalties at $10,000 for Tier 1,
00:00
$100,000 for Tier 2,
00:00
$250,000 for Tier 3,
00:00
and $1.7 million for Tier 4.
00:00
The maximum penalty for
00:00
HIPAA violation in the highest tier remained at
00:00
1.7 million per violation category per year.
00:00
Prior to the review,
00:00
the maximum HIPAA violation penalty was
00:00
1.7 million in all four penalty tiers.
00:00
The tiers are as follows,
00:00
Tier 1 violation is when the covered entity did
00:00
not know and could not
00:00
reasonably have known about the breach.
00:00
Tier 2, is the covered entity knew,
00:00
or would have known by exercising reasonable diligence,
00:00
though did not act with willful neglect.
00:00
They may have had some controls in place,
00:00
they may have had some policies and procedures,
00:00
and they didn't do anything on purpose.
00:00
Tier 3, is
00:00
the covered entity acted with willful neglect,
00:00
and corrected the problem within
00:00
a 30 day time frame
00:00
so they just didn't put procedures in place.
00:00
They didn't have controls in place.
00:00
They weren't even trying to protect the data,
00:00
and then they fixed it within 30 days. That's tier 3.
00:00
Tier 4, is the covered entity acted with
00:00
willful neglect and failed to make timely correction.
00:00
Not only did they not have controls,
00:00
but they didn't even try to fix it.
00:00
That's the Tier 4 violation.
00:00
Depending upon the circumstances,
00:00
individuals who data was disclosed,
00:00
may seek additional compensation through the courts,
00:00
which could be significant depending
00:00
upon the number of individuals involved.
00:00
Historically, many state governments
00:00
>> had laws for privacy
00:00
>> and security of personal health data
00:00
that differed from one another.
00:00
This often resulted in
00:00
conflicts when the protection schemes
00:00
differed between organizations where
00:00
they were in two different states.
00:00
One of the main efforts to
00:00
resolving this difference was DURSA,
00:00
the data use and reciprocal support agreement.
00:00
DURSA was developed by
00:00
the Office of National Coordinator for Health IT,
00:00
the ONC, and the US
00:00
Department of Health and Human Services, the HHS.
00:00
DURSA seeks to provide a framework that
00:00
ensures protection for health information
00:00
>> data exchanges.
00:00
>> This will be on the exam.
00:00
Today we discussed legal issues,
00:00
physical and security commitments,
00:00
data breach regulations, and
00:00
jurisdiction implications and regulatory requirements.
00:00
As a reminder, please review
00:00
the supplemental materials for
00:00
this module to help you prepare for the exam.
00:00
Take care, and see you in next video.
Up Next