that information may include individually identifiable health information, the
“value” to cybercriminals increases. Drug and alcohol testing laboratories are not immune from these risk exposures. Te costs of addressing a breach when it happens are also rising exponentially, and the impact to the business can extend well beyond the financial to other potential enterprise-wide regulatory, legal, reputation, market share, and risk– financing maters, as well as to other risk exposures. If a business has not already developed and implemented a proactive enterprise approach to risk identification, analysis, loss prevention, and mitigation for information privacy and security, it may be wise to move forward on such an endeavor with some urgency. ❚
References 1
Privacy Rights Clearinghouse,
https://www.privacyrights. org/data-breaches.
2
The U.S. government used the term “personally identifiable” in 2007 in a memorandum from the Executive Office of the President, Office of Management and Budget (OMB), and that usage now appears in U.S. standards such as the NIST Guide to Protecting the Confidentiality of Personally Identifiable Information (SP 800-122).The OMB memorandum defines PII as follows: Information that can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc., alone or when combined with other personal or identifying information that is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.
https://www.nist.gov/publications/guide-protecting- confidentiality-personally-identifiable-information-pii. Published 2010. Accessed January 29, 2019.
3
HIPAA defines health information as any information created or received by a HIPAA-covered entity (healthcare provider, health plan, or healthcare clearinghouse) or business associate of a HIPAA-covered entity. Health information includes past, present, and future information about mental and physical health and the condition of an individual, the provision of healthcare to an individual, and information related to payment for healthcare, again in the past, present, or future. Health information also includes demographic information about an individual. Individually identifiable health information is a subset of health information, and as the name suggests, is health information that can be linked to a specific person, or if it would be reasonable to believe that an individual could be identified from the information. (See 45 CFR 46.160.103.) The HIPAA Privacy Rule places restrictions on uses and disclosures of individually identifiable health information, but not on health information that does not allow an individual to be identified. HIPAA Journal, January 2018,
https://www.hipaajournal.com/individually-identifiable- health-information/. Accessed January 29, 2019.
4
“Blood-Testing Lab LabCorp Grapples with Data Breach: 5 Things to Know,” Julie Spitzer, Becker’s Hospital
5 6
Review, July 18, 2018. Accessed online January 29, 2019.
https://www.beckershospitalreview.com/ cybersecurity/blood-testing-lab-labcorp-grapples-with-
data-breach-5-things-to-know.html
Radware Global Application and Network Security Report, published January 2019.
Verizon Data Breach Investigations Report, accessed January 29, 2019.
7
Ponemon Institute 2018 Cost of a Data Breach Study Global Overview, accessed January 29, 2019.
8
Confidentiality of Alcohol and Drug Abuse Patient Records, accessed January 29, 2019.
9
Privacy Act of 1974,
https://www.archives.gov/about/laws/ privacy-act-1974.html, accessed January 29, 2019.
10
HIPAA,
https://www.hhs.gov/hipaa/for-professionals/index. html, accessed January 29, 2019.
11
European Union’s General Data Protection Regulation,
https://ec.europa.eu/commission/priorities/justice-and- fundamental-rights/data-protection/2018-reform-eu-data- protection-rules_en, accessed January 29, 2019.
12
National Conference of State Legislatures, http://www.
ncsl.org/research/telecommunications-and-information- technology/
security-breach-notification-laws.aspx.
13
Taking Aim at Data Breaches and Cyberattacks, Pam Greenberg, NCSL LegisBrief.
14
National Conference of State Legislatures, http://www.
ncsl.org/research/telecommunications-and-information- technology/
data-disposal-laws.aspx.
15
Ponemon Institute’s 2018 Cost of a Data Breach Study: Global Overview.
Gwen Hughes, RHIA, CHPS is President of Hughes Virtual Privacy Office, and can be reached at ghughes.
vpo@gmail.com. Hughes is a Registered Health Informa-
tion Administrator (RHIA) with a certification in Healthcare Privacy and Security (CHPS). For over 15 years, she has been helping clients protect the privacy and security of pa- tient health information while complying with HIPAA, and other laws, regulations and stan- dards. Prior to starting her own company, Hughes provided best practice advice and became a nationally recognized author and speaker for the American Health Information Management Association (AHIMA) on topics such as: leadership, best practices in HIM, electronic health records, and HIPAA. She has over 15 years of successful leadership experience directing Health Information Man- agement, compliance and revenue related services in hospitals, physician practices, long term care and health systems.
Patricia A. Hughes, RN, MSN, CPHRM, FASHRM is currently the Senior Vice President for Healthcare Risk Management at One- Beacon Healthcare Group.
Prior to joining OBHC Group, Patricia was Director of Risk Management at UMass- Memorial Medical Center, Worcester, MA and at Boston Medical Center, Boston, MA. Patricia has over 30 years of experience in the health care industry, and 18 years in healthcare risk management. She has a Bachelor of Science Degree in Nursing and a Master of Science degree in Family and Community Health Nursing. She practiced as a Advanced Practice Registered Nurse and as a Level 1 Trauma Center Program Manager. Patricia is a Certified Professional in Healthcare Risk Management (CPHRM) and is a Fellow of the American Society of Healthcare Risk Management (FASHRM). She is a member of several state Chapters of the American Society of Healthcare Risk Management (ASHRM) and has served as President and Board of Directors of the MA Society of Healthcare Risk Management. Ms. Hughes has also served as Co-Chair, Strategic Activities of the Enterprise Risk Management Taskforce of the American Health Lawyers Association.
Information is provided for general informa- tional purposes only and does not constitute legal, risk management, or other advice. Viewers should consult their own counsel or other advisors for such advice. OneBea- con Insurance Group, and its parents and affiliates (“OneBeacon”), and consultants, contractors, and vendors of OneBeacon assume no responsibility or liability for the discovery or elimination of risk that possibly could cause accidents, injuries, or damages. Compliance with any strategies or oppor- tunities for improvement provided does not assure elimination of risk or the satisfaction of requirements of applicable law.
20
datia focus
spring 2019
Page 1 |
Page 2 |
Page 3 |
Page 4 |
Page 5 |
Page 6 |
Page 7 |
Page 8 |
Page 9 |
Page 10 |
Page 11 |
Page 12 |
Page 13 |
Page 14 |
Page 15 |
Page 16 |
Page 17 |
Page 18 |
Page 19 |
Page 20 |
Page 21 |
Page 22 |
Page 23 |
Page 24 |
Page 25 |
Page 26 |
Page 27 |
Page 28 |
Page 29 |
Page 30 |
Page 31 |
Page 32 |
Page 33 |
Page 34 |
Page 35 |
Page 36 |
Page 37 |
Page 38 |
Page 39 |
Page 40 |
Page 41 |
Page 42 |
Page 43 |
Page 44 |
Page 45 |
Page 46 |
Page 47 |
Page 48 |
Page 49 |
Page 50 |
Page 51 |
Page 52 |
Page 53 |
Page 54 |
Page 55 |
Page 56
