Quiz IT electronic documents management
IT 380
Electronic Document and
Record Management
Systems
Unit 4: Legislation, Standards,
Regulations and Policy
Instructor: Dr. Michelle Liu
Topics
▪ Implied and explicit regulatory requirements for
documents
▪ Privacy as part of other laws
▪ U.S security and privacy laws ▪ SOX
▪ HIPAA
▪ FCRA/FACTA
▪ GBL
▪ Government-specific regulations
2
Protections Modified
▪ 4th Amendment EXPANDED ▪ Person protected as well as place
▪ Katz v. U.S. (1967)
▪ Warrantless phone booth wiretap violated Fourth
Amendment
▪ “Reasonable assumption of privacy” test
▪ Did person exhibit personal expectation to privacy
▪ Does society recognize expectation as reasonable
▪ LIMITED ▪ Garbage placed at the curbside is public property
▪ California v. Greenwood, 1988 3
Katz vs. United States
▪ FBI placed a recording device on the outside
of a telephone booth to record defendant
transmitting wagering information to Miami
and Boston
▪ Defendant appealed conviction, contending
recordings were obtained in violation of
Fourth Amendment
▪ COA rejected because no physical entrance
into phone booth
▪ The supreme court reversed defendant
conviction 4
Statutory Approach
▪ No systematic approach or basic concepts
▪ Solutions for specific problems ▪ Types of records
▪ Kinds of institutions
5
U.S. Security and Privacy Laws ▪ Freedom from disclosure ▪ Restrict public disclosure of private facts
▪ Freedom from theft ▪ Data security
▪ Freedom from seizure ▪ Law enforcement powers and limits
▪ Freedom from nuisance ▪ Intrusion on the seclusion of another
▪ May overlap
6
U.S. Privacy Laws up to 1968
▪ Privacy of mail (1782 & 1825)
▪ Warrant required to open mail (1877)
▪ State laws against disclosure of telegrams (1880s)
▪ Privacy of census (1919) – regulations before
▪ Communications Act of 1934 ▪ prohibited federal officials from disclosing info about
intercepted communications
▪ Omnibus Crime and Control Act of 1968 (Wiretap Act)
7
Content and Metadata: Legal
Rules
▪ Katz v. United States, 1967
▪ Smith v. Maryland, 1979
8
Attempts at Rational Policy
▪ Records, Computers and the Rights of Citizens ▪ US Department of Health, Education, and Welfare, 1973
▪ Personal Privacy in an Information Society ▪ US Privacy Protection Study Commission, 1977
▪ HEW Report ▪ Proposed set of “fair information practices”
▪ No secret databases
▪ Mechanism to find what in database and how used
▪ Prior approval to put info obtained for one purpose to
use for another purpose
▪ Mechanism to correct errors or amend record
▪ Organizations must ensure reliability of data for
intended use and take reasonable precautions to
prevent misuse
9
Privacy Commission
▪ Study areas ▪ Industry specific - credit, banks, insurance, medical,
investigative/reporting, education
▪ Issue specific – employment, medical care, government access to private records, tax records, research and statistical studies, social security number, use of mailing list data
▪ Statute specific – Privacy Act of 1974
▪ 162 recommendations
3/6/2021 10
U.S. Laws in the 1970s
▪ Fair Credit Reporting Act of 1970
▪ Bank Secrecy Act of 1970
▪ Privacy Act of 1974 ▪ Amended FOIA
▪ Regulates collection of information about individuals
▪ Prohibits unauthorized disclosure
▪ Gives individuals right to access & correct their records in federal databases
▪ Family Educational Rights and Privacy Act of 1974
(FERPA) ▪ Federal law that protects the privacy of student education records
▪ Right to Financial Privacy Act of 1978
▪ Fair Debt Collection Practices Act - 1978
▪ Foreign Intelligence Surveillance Act of 1978 11
U.S. Laws in the 1980s
▪ Privacy Protection Act of 1980
▪ Cable Communications Policy Act of 1984 ▪ Protects privacy of cable records, including viewing
habits, and limits collection
▪ Electronic Communications Privacy Act of
1986 ▪ Extended Wiretap Act to computer-based data
▪ Stored vs. in transit distinction
▪ Employee Polygraph Protection Act of 1988 ▪ Restricts use of polygraphs by private sector
▪ Video Privacy Protection Act of 1988 ▪ Protects privacy of video tape rental & purchase records
12
Sarbanes-Oxley Act of 2002 (SOX)
▪ “To protect investors by improving the
accuracy and reliability of corporate
disclosures made pursuant to securities
laws, and for other purposes.”
▪ In response to financial scandals ▪ Enron, WorldCom, Tyco
▪ Arthur Andersen
▪ 11 sections with requirements procedures; e.g. ▪ Companies evaluate and disclose the effectiveness of
their internal financial controls
▪ CEO & CFO certify accuracy of reports
▪ Fully independent audit committees and auditors
▪ Increased insider trade reporting 13
SOX Provisions ▪ Established Public Company Accounting
Oversight Board (PCAOB)
▪ Auditor Independence
▪ Corporate Responsibility
▪ Enhanced Financial Disclosures
▪ Analyze Conflicts of Interests
▪ SEC Resources and Authority
14
Penalties Under SOX
Failure to comply or
submission of an
inaccurate certification
Fine up to $1 million and
ten years in prison
A wrong certification
submitted purposely
Fine up to $5 million and
twenty years in prison.
Violate SEC regulations May be ineligible to hold a
director or officer position
in any publicly traded
company History - 15
SOX 404: Viable Internal Controls
▪ Creation and maintenance of internal
controls ▪ Separation of duties
▪ Checks and balances
▪ Documentation of events
▪ Internal controls
▪ Internal controls include ▪ Policies
▪ Procedures
▪ Training programs
▪ Other processes (example: inventory control) 16
How does it relate to records
management?
▪ Record retention
▪ Copies of records
▪ Audit trail
17
SOX Section 404 & IT
▪ SOX internal controls ▪ Requires annual statement of the “effectiveness of
the company's internal control structure and
procedures for financial reporting” and “must
disclose any material weakness”
▪ IT controls underlie other process controls - thus
section 404 requires good IT controls
18
19
20
Devices & Integration Proliferating
Quickly ▪ Mobile apps
▪ Medical monitoring devices
▪ Medical delivery devices
▪ Wirelessly-connected Internet of Things (IoT)
mobile med-devices ▪ Wearable fitness monitor
▪ Smart watch
▪ Smart clothing
▪ Assisted mobile device diagnosis
▪ Consumer health record repositories
▪ Health information exchanges 21
Institutions Become More
Complex
▪ Mergers of hospitals with other business
▪ Use cloud based business services
▪ Hospital chain expanding their scope ▪ Building large ambulatory practice groups
▪ Outsourcing radiology, ICU and dialysis
▪ Standing up health insurance companies
▪ Manage privacy
▪ Audit activity
▪ Manage reliability 22
What is the Big Deal?
▪ Street cost for a stolen record: ▪ Medical: $50 vs. SSN: $1
▪ Payout for identity theft ▪ Medical:$20,000 vs. Regular: $2,000
▪ Medical records can be exploited 4x
longer ▪ Credit cards can be cancelled; medical
records can’t ▪ Medical Records Abuse
consequences ▪ Prescription fraud
▪ Embarrassment
▪ Financial fraud
▪ Personal data resale
▪ Blackmail/extortion
▪ Medical claims fraud
▪ Job loss/reputational 23
RSA Report on Cybercrime and the Healthcare Industry
❑ Majority of clinical fraud:
❑ Obtain prescription narcotics for
illegitimate use
❑ Free health care
TAKE A CLOSER LOOK AT
HIPAA
24
Topics
▪ HIPAA ▪ Why do those laws and regulations exist?
▪ Who is covered?
▪ What is covered?
▪ What is required or prohibited?
▪ What happens if I don’t comply?
25
HIPAA Overview
▪ The Health Insurance Portability and
Accountability Act of 1996 (HIPAA)
addressed insurance portability, fraud and
administrative simplification
▪ This act is watershed legislation for the
healthcare industry
▪ It resulted in substantial investment in e-
health initiatives and deployment of security
technology in the healthcare industry
26
HIPAA Goals
▪ Improve portability and continuity of health
insurance coverage in the group market
▪ Combat waste, fraud and abuse in health
insurance and healthcare delivery
▪ Promote the use of medical savings
accounts (HSAs)
▪ Improve access to long term care services
and coverage
▪ Simplify healthcare administrative data
exchange 27
Protected Health Information
▪ Healthcare providers must ensure the
confidentiality, integrity, and availability of
electronic protected health information (ePHI)
that the covered entity creates, receives,
maintains, or transmits
▪ Privacy Rule and Security Rule ▪ The privacy rule regulates uses and disclosures of
PHI,* while the security rule regulates the creation,
receipt, maintenance, and transmission of electronic
PHI.
▪ All electronic PHI is PHI subject to the privacy rule.
But not all PHI is electronic PHI—PHI is the larger
category and electronic PHI is a subset. 28
Privacy Rule and Security Rule
▪ Privacy Rule ▪ “Have in place appropriate administrative, technical,
and physical safeguards to protect the privacy of
protected health information.”*
▪ Applies to ALL PHI
▪ Need to know/Minimum necessary (to do jobs)
▪ Security Rule ▪ What policies/trainings/technologies are in place to
keep unauthorized people from seeing your data?
▪ Applies to Electronic PHI
▪ Does not apply to PHI on pieces of paper or to PHI
that is faxed over dedicated phone lines! 29
Omnibus Final Rule ▪ Took effect on September 23, 2013 ▪ The biggest change to HIPAA in 15 years
▪ Makes business associates of covered entities directly
liable for compliance with certain aspects of the HIPAA
Privacy and Security Rules’ requirements*
▪ Covered entity: healthcare providers, health plans,
healthcare clearinghouses
▪ The term business associates refers to any entity that
provides supporting products or services that are related
to PHI ▪ Create, receive, maintain or transmit PHI
▪ Business Associate Agreement (BAA) are formalized and
legally-binding documents where these entities
acknowledge their responsibilities for maintaining privacy
and security standards as part of the provider’s service. 30
*Source: U.S. Department of Health and Human Services
31
Devices & Integration Proliferating
Quickly ▪ Mobile apps
▪ Medical monitoring devices
▪ Medical delivery devices
▪ Wirelessly-connected Internet of Things (IoT)
mobile med-devices ▪ Wearable fitness monitor
▪ Smart watch
▪ Smart clothing
▪ Assisted mobile device diagnosis
▪ Consumer health record repositories
▪ Health information exchanges 32
Institutions Become More
Complex
▪ Mergers of hospitals with other business
▪ Use cloud based business services
▪ Hospital chain expanding their scope ▪ Building large ambulatory practice groups
▪ Outsourcing radiology, ICU and dialysis
▪ Standing up health insurance companies
▪ Manage privacy
▪ Audit activity
▪ Manage reliability 33
• Laptop/notebook • Tablet computers such
as iPads • Mobile/Cellular phones • Smartphones • PDA
Limits on uses and disclosures
Individual privacy rights
Administrative requirements
The
Privacy
Rule
3/6/2021 34
• Laptop/notebook • Tablet computers such
as iPads • Mobile/Cellular phones • Smartphones • PDA
Technical safeguards
Administrative safeguards
Physical safeguards
⚫
The
Security
Rule
3/6/2021 35
Organizational
Policies, Procedures and Documentation
Privacy and Security
36
Privacy: Covered Information
▪ Protected Health Information (PHI) includes patient identifiable data such as: ▪ Names, addresses, dates, phone numbers, email addresses,
SSN, license numbers, IP addresses, account numbers, etc.
▪ Any patient information created or received relating to past, present, or future condition; provision of health care; past, present, or future payments for health care provision
▪ De-identified health information is not considered PHI
▪ Privacy Rule ▪ Disclose policies for use and disclosure of information
▪ Privacy compliance program, including staff training
37
Permitted Disclosures
▪ PHI can be released without prior
authorization for Treatment,
Payment, and Health Care
Operations.
▪ As a general rule, anything else
requires specific written authorization
from the patient.
38
Example from Random Audit
Review ▪ Random Audit reveals employees snooping
in Emergency Department records
▪ For Cause Audit reveals employee looking
up lab results for family member
▪ High Profile Audit reveals employees
snooping in accident victim’s records
39
Examples of PHI Breach ▪ Local church reports medical records
received due to misdialed fax number
▪ Patient notified of breach due to test results
being given to another patient
▪ Patients notified of breach when email sent
with incorrect attachment
▪ Privacy investigation reveals unauthorized
disclosure, results in termination of 35+ year
nurse.
40
41
Can you
spot the
breach?
How about ransomware? ▪ Ransomware incidents treated as data
breaches under HIPAA
▪ Ransomware attacks constitute breach
unless there is substantial evidence to
contrary (US DHHS OCR) ▪ Must initiate security incident response and
reporting procedures as called for by HIPAA
Security Rule
▪ Must also follow risk assessment requirements of
HIPAA Breach Notification Rule
42
HIPAA Criminal Penalties
▪ UCLA researcher notified of termination. In
retaliation he accessed the medical records of his
superior, co-workers and celebrities. He was
convicted and sentences to 4 years in jail.
▪ LPN from medical clinic access PHI of patient and
gave it to her husband to use in a legal
proceeding against the patient. Both the LPN and
her husband were indicted.
▪ Trinity Medical Center (Birmingham, AL)
employee indicted for stealing identifying
information of 4,000 patients for committing
identify theft. 43
Examples and Exceptions
▪ A hospital (covered entity) adopts an electronic medical
records (EMR) system.
▪ If the EMR software vendor (business associate) needs
access to PHI then it would need to complete a BAA.
▪ If the hospital uses cloud-based services to store data
containing PHI then the cloud-based services provider
would need to complete a BAA.
▪ A BAA is not required for organizations, such as the US
Postal Service, certain private couriers and their
electronic equivalents that act merely as conduits for
protected health information
44
Additional Considerations ▪ Notices of Privacy Practices
▪ Breach Notification Requirements ▪ Patient(s) must be notified within 60 days;
▪ All breaches must be reported to the
Department of Health and Human Services
through the Office for Civil Rights
▪ Security Rule Compliance
45
The HIPAA Security Rule
▪ Requires covered entities to: ▪ Ensure protection against any reasonably
anticipated threats or hazards to the security or
integrity of information
▪ Protect against reasonably anticipated uses and
disclosures
▪ Ensure compliance by workforce
▪ Review and modify security measures periodically
to continue reasonable and appropriate protections
3/6/2021 46
The C-I-A Triad
▪ A widely used benchmark
for evaluation of information
systems security
▪ A system possessing all
three of these properties all
of the time is secure
▪ A system not possessing
one or more of these
properties at any time is not
secure
47
Three Pillars of HIPAA-HITECH
Compliance
48
Implementation Specifications
▪ Grouped into 5 Categories ▪ Administrative
▪ Physical
▪ Technical
▪ Organizational
▪ Policies, Procedures and Documentation
▪ Identified as “Required” or “Addressable” ▪ Required
▪ Addressable - based on sound, documented reasoning from risk analysis
49
Administrative Safeguards
▪ Designate an individual responsible for HIPAA
compliance for the organization
▪ Analyze security risks and implement policies
and procedures that prevent, detect, and
correct security issues
▪ Define sanctions for security violations
▪ Ensure members of the work force have access
to information appropriate for their jobs
▪ Implement termination procedures
▪ Implement procedures authorizing access 50
Administrative Safeguards (Cont.)
▪ Implement ▪ a security awareness and training program
▪ policies and procedures for reporting and
responding to security incidents and other
emergencies
▪ Periodically monitor adherence to security
policies and procedures, document results,
and make appropriate improvements
▪ Establish contracts between a covered entity
and business associates to ensure appropriate
safeguards are in place to protect ePHI 51
Physical Safeguards
▪ Limit physical access to equipment and
locations that contain or use ePHI
▪ Specify workstation and work area roles
and assignments where workstations with
access to ePHI are located
▪ Specify how workstations permitting
access to ePHI are protected from
unauthorized use, including laptops, PDAs,
etc.
▪ Address the receipt and removal of
hardware and electronic media that contain
ePHI 52
Technical Safeguards ▪ Implement policies and procedures limiting
access to ePHI to persons or software
programs requiring the ePHI to do their jobs
▪ Install hardware, software, or manual
mechanisms to examine activity in systems
containing ePHI
▪ Ensure policies and procedures that protect
ePHI from being altered or destroyed
▪ Implement mechanisms to protect ePHI that is
being transmitted electronically from one
organization to another 53
Organizational Requirements
▪ Document that business associate
contracts or other arrangements comply
with the security measures when handling
ePHI
▪ Ensure that business associates have
plans that document appropriate
safeguards for ePHI
54
Policies, Procedures and
Documentation
▪ Implement reasonable and appropriate policies
and procedures to comply with the standards,
implementation specifications, and other
requirements of the security rule
▪ Ensure that written or electronic records of policies
and procedures implemented to comply with the
security rule be maintained for a period of six
years from the date of creation or the date when
last in effect
55
Enforcement: Amount of CMP –
45 CFR § 160.404
56
Don’t Forget Criminal Penalties
▪ Congress also establish criminal penalties for
certain actions…
▪ Up to $50,000 and one year in prison for certain
offenses such as knowingly obtaining PHI
▪ Up to $100,000 and up to five years in prison if
the offenses are committed under false pretenses
▪ Up to $250,000 and up to 10 years in prison if
the offenses are committed with the intent to sell,
transfer, or use protected health information for
commercial advantage, personal gain, or
malicious harm. 57
Sample Data Request
58
Sample Data Request
59
WHAT ARE FCRA AND GLBA?
60
FCRA/FACTA ▪ Fair Credit Reporting Act/Fair and Accurate
Credit Transactions Act of 2003
▪ FACTA added sections to the FCRA-15 USC
1681 et seq ▪ Help consumers fight the growing crime of
identify theft
▪ Prescreen opt-out notice ▪ 16 CFR 642
61
Major FACTA Provisions
▪ Free report - annualcreditreport.com
▪ Prescreen opt-out notice
▪ Disclose credit scores to mortgage applicants
▪ Credit report fraud alert
▪ ID Theft database
▪ Sets a new standard for what the law calls "employee misconduct investigations.“ (no permission required from employees)
▪ Secure disposal of consumer information
▪ Red Flag rules (ruling by FTC) 62
Red Flag Rules: Why?
▪ Growing identify theft
▪ To detect and stop identity thieves from using
someone else’s identifying information to
commit fraud
▪ To address identity theft problems
▪ Identify and address problematic information
▪ Enforcing agencies
▪ Payment Card Industry (PCI) standards
63
What is the Red Flags Rule Regulation?
▪ The red flag fall into five categories: ▪ Alerts, notifications, or warnings from a
consumer reporting agency
▪ Suspicious documents
▪ Suspicious personally identifying
information (i.e., suspicious address)
▪ Unusual use relating to a covered
account
▪ Notices from customers, victims of
identity theft, law enforcement
authorities, or other businesses about
possible identify theft in connection with
covered accounts 64
Who Must Comply with the Red
Flags Rule?
▪ Financial institutions and creditors with covered
accounts must implement a written Identity
Theft Prevention Program to detect, prevent,
and mitigate identity theft in connection with:
▪ the opening of a covered account, or
▪ any existing covered account
▪ Program must be appropriate to the size and
complexity of entity and nature and scope of
activities
65
Red Flags Rule Requirement
▪ Financial institution- a state or national bank, a
state or federal savings and loan association, a
mutual savings bank, a state or federal credit
union, or any other person that, directly or
indirectly, holds a transaction account belonging to
a consumer.
▪ Creditor – organizations that regularly defer
payment for goods or services or provide goods or
services and bill customers later.
66
Enforcement of Red Flags Rule
Compliance Deadline ▪ Anyone with “covered accounts”
must be compliant as of June 1,
2010.
Audits ▪ The FTC can conduct
investigations to determine if a
business has taken appropriate
steps to develop and implement a
written Program, as required by the
Rule. If a violation occurs, the FTC
can bring an enforcement action. 67
Red Flags Rule and Existing Security
Program
68
Red Flag Rule Elements
▪ Must include reasonable policies and
procedures to:
▪ Identify relevant Red Flags and incorporate them into
the Program
▪ Detect Red Flags by setting up procedures to detect
those red flags in your day-to-day operations
▪ Respond appropriately to any Red Flags that are
detected
▪ Ensure the Program is updated periodically to address
changing risks
69
Gramm-Leach-Bliley Act (GLBA)
▪ Passed in 1999
▪ To protect consumers’ personal financial
information held by financial institutions ▪ Non-Public Personal Information (NPI)
▪ Broad definition of FIs (Financial Institutions)
▪ Authority given to eight federal agencies and to
states
▪ For FIs but good model for others
Source: https://www.ftc.gov/tips-advice/business-center/privacy-and-
security/gramm-leach-bliley-act 70
Nonpublic Personal Financial
Information
▪ Personally identifiable financial information
about an individual;
▪ Any list, description, or other grouping of
consumers (and publicly available information
pertaining to them) derived using any personally
identifiable financial information that is not
publicly available
▪ Income information, credit history, and premium
payment history
71
PII Definition – Generally Accepted
Privacy principles (GAPP)
▪ Previously known as the AICPA/CICA Privacy Framework
▪ Privacy definition
▪ PII: Information related to identified or identifiable individual ▪ Name, Address, Telephone, SS # or Other
Government ID Numbers
▪ Employer, Employment History
▪ Credit Card Numbers, Credit History, Purchase History
▪ Personal or Family Financial or Medical Information
72
Usual State PII Definition
▪ First and last name OR last name and first initial - plus ▪ Social Security Number OR
▪ Drivers’ License Number OR
▪ State Identification Number OR
▪ Debit or Credit Card Number OR
▪ Financial Account Number OR
▪ Medical Information OR
▪ Health Insurance Information
▪ Most state notification laws: PIN(Private Industry Notification) or access code in combination with account numbers in definition 73
GLB Overall Requirements
▪ Administrative, technical, and physical
protections
▪ Ensure confidentiality and security
▪ Protect against anticipated threats or hazards
▪ Protect against unauthorized access
▪ Comprehensive written information security
program
74
GLB – Privacy Rule
▪ Governs the collection and disclosure of
customers' personal financial information by
financial institutions
▪ Also applies to companies, whether or not
they are financial institutions, who receive
such information
75
GLB – Safeguards Rule
▪ Requires all financial institutions to design,
implement, and maintain safeguards to protect
customer information.
▪ Applies to ▪ financial institutions that collect information from their
own customers,
▪ financial institutions such as credit reporting agencies
that receive customer information from other financial
institutions
76
Safeguards Rule Objectives
▪ Ensure the security and confidentiality of
customer records and information – in paper,
electronic or other form
▪ Protect against any anticipated threats or
hazards to the security or integrity of such
records
▪ Protect against unauthorized access to or use
of any records or information which could
result in substantial harm or inconvenience to
any customer 77
Security Program
▪ Comprehensive process oriented approach ▪ Identify assets
▪ Conduct periodic risk assessments
▪ Develop and implement program that addresses
specific requirements
▪ Monitor and test program
▪ Continually review and adjust
▪ Oversee third party provider arrangements and
practices
▪ Check relevant external standards 78
Compliance and IT Risk Management
Challenges
79
Terms for Quiz 2 (Unit 2, 3 and 4) ▪ Archive
▪ Bill of Rights
▪ Business Drivers for ERM
▪ CIA
▪ Classification
▪ Disposition principles
▪ Document
▪ EDRMS
▪ EHR
▪ FACTA
▪ FCRA
▪ FERPA
▪ GAPP
▪ GLB
▪ HIPAA
▪ Least Privilege
▪ Nonpublic Personal Financial
Information
▪ PCAOB
▪ PCI
▪ PHI
▪ PHR
▪ PII
▪ Preservation
▪ Records
▪ Records lifecycle
▪ Records Management
▪ Retention principles
▪ SEC
▪ SOX
▪ Zones 3/6/2021 80