Quiz IT electronic documents management

profileLoola22
ITUnit4_LawandPolicy.pdf

IT 380

Electronic Document and

Record Management

Systems

Unit 4: Legislation, Standards,

Regulations and Policy

Instructor: Dr. Michelle Liu

Topics

▪ Implied and explicit regulatory requirements for

documents

▪ Privacy as part of other laws

▪ U.S security and privacy laws ▪ SOX

▪ HIPAA

▪ FCRA/FACTA

▪ GBL

▪ Government-specific regulations

2

Protections Modified

▪ 4th Amendment EXPANDED ▪ Person protected as well as place

▪ Katz v. U.S. (1967)

▪ Warrantless phone booth wiretap violated Fourth

Amendment

▪ “Reasonable assumption of privacy” test

▪ Did person exhibit personal expectation to privacy

▪ Does society recognize expectation as reasonable

▪ LIMITED ▪ Garbage placed at the curbside is public property

▪ California v. Greenwood, 1988 3

Katz vs. United States

▪ FBI placed a recording device on the outside

of a telephone booth to record defendant

transmitting wagering information to Miami

and Boston

▪ Defendant appealed conviction, contending

recordings were obtained in violation of

Fourth Amendment

▪ COA rejected because no physical entrance

into phone booth

▪ The supreme court reversed defendant

conviction 4

Statutory Approach

▪ No systematic approach or basic concepts

▪ Solutions for specific problems ▪ Types of records

▪ Kinds of institutions

5

U.S. Security and Privacy Laws ▪ Freedom from disclosure ▪ Restrict public disclosure of private facts

▪ Freedom from theft ▪ Data security

▪ Freedom from seizure ▪ Law enforcement powers and limits

▪ Freedom from nuisance ▪ Intrusion on the seclusion of another

▪ May overlap

6

U.S. Privacy Laws up to 1968

▪ Privacy of mail (1782 & 1825)

▪ Warrant required to open mail (1877)

▪ State laws against disclosure of telegrams (1880s)

▪ Privacy of census (1919) – regulations before

▪ Communications Act of 1934 ▪ prohibited federal officials from disclosing info about

intercepted communications

▪ Omnibus Crime and Control Act of 1968 (Wiretap Act)

7

Content and Metadata: Legal

Rules

▪ Katz v. United States, 1967

▪ Smith v. Maryland, 1979

8

Attempts at Rational Policy

▪ Records, Computers and the Rights of Citizens ▪ US Department of Health, Education, and Welfare, 1973

▪ Personal Privacy in an Information Society ▪ US Privacy Protection Study Commission, 1977

▪ HEW Report ▪ Proposed set of “fair information practices”

▪ No secret databases

▪ Mechanism to find what in database and how used

▪ Prior approval to put info obtained for one purpose to

use for another purpose

▪ Mechanism to correct errors or amend record

▪ Organizations must ensure reliability of data for

intended use and take reasonable precautions to

prevent misuse

9

Privacy Commission

▪ Study areas ▪ Industry specific - credit, banks, insurance, medical,

investigative/reporting, education

▪ Issue specific – employment, medical care, government access to private records, tax records, research and statistical studies, social security number, use of mailing list data

▪ Statute specific – Privacy Act of 1974

▪ 162 recommendations

3/6/2021 10

U.S. Laws in the 1970s

▪ Fair Credit Reporting Act of 1970

▪ Bank Secrecy Act of 1970

▪ Privacy Act of 1974 ▪ Amended FOIA

▪ Regulates collection of information about individuals

▪ Prohibits unauthorized disclosure

▪ Gives individuals right to access & correct their records in federal databases

▪ Family Educational Rights and Privacy Act of 1974

(FERPA) ▪ Federal law that protects the privacy of student education records

▪ Right to Financial Privacy Act of 1978

▪ Fair Debt Collection Practices Act - 1978

▪ Foreign Intelligence Surveillance Act of 1978 11

U.S. Laws in the 1980s

▪ Privacy Protection Act of 1980

▪ Cable Communications Policy Act of 1984 ▪ Protects privacy of cable records, including viewing

habits, and limits collection

▪ Electronic Communications Privacy Act of

1986 ▪ Extended Wiretap Act to computer-based data

▪ Stored vs. in transit distinction

▪ Employee Polygraph Protection Act of 1988 ▪ Restricts use of polygraphs by private sector

▪ Video Privacy Protection Act of 1988 ▪ Protects privacy of video tape rental & purchase records

12

Sarbanes-Oxley Act of 2002 (SOX)

▪ “To protect investors by improving the

accuracy and reliability of corporate

disclosures made pursuant to securities

laws, and for other purposes.”

▪ In response to financial scandals ▪ Enron, WorldCom, Tyco

▪ Arthur Andersen

▪ 11 sections with requirements procedures; e.g. ▪ Companies evaluate and disclose the effectiveness of

their internal financial controls

▪ CEO & CFO certify accuracy of reports

▪ Fully independent audit committees and auditors

▪ Increased insider trade reporting 13

SOX Provisions ▪ Established Public Company Accounting

Oversight Board (PCAOB)

▪ Auditor Independence

▪ Corporate Responsibility

▪ Enhanced Financial Disclosures

▪ Analyze Conflicts of Interests

▪ SEC Resources and Authority

14

Penalties Under SOX

Failure to comply or

submission of an

inaccurate certification

Fine up to $1 million and

ten years in prison

A wrong certification

submitted purposely

Fine up to $5 million and

twenty years in prison.

Violate SEC regulations May be ineligible to hold a

director or officer position

in any publicly traded

company History - 15

SOX 404: Viable Internal Controls

▪ Creation and maintenance of internal

controls ▪ Separation of duties

▪ Checks and balances

▪ Documentation of events

▪ Internal controls

▪ Internal controls include ▪ Policies

▪ Procedures

▪ Training programs

▪ Other processes (example: inventory control) 16

How does it relate to records

management?

▪ Record retention

▪ Copies of records

▪ Audit trail

17

SOX Section 404 & IT

▪ SOX internal controls ▪ Requires annual statement of the “effectiveness of

the company's internal control structure and

procedures for financial reporting” and “must

disclose any material weakness”

▪ IT controls underlie other process controls - thus

section 404 requires good IT controls

18

19

20

Devices & Integration Proliferating

Quickly ▪ Mobile apps

▪ Medical monitoring devices

▪ Medical delivery devices

▪ Wirelessly-connected Internet of Things (IoT)

mobile med-devices ▪ Wearable fitness monitor

▪ Smart watch

▪ Smart clothing

▪ Assisted mobile device diagnosis

▪ Consumer health record repositories

▪ Health information exchanges 21

Institutions Become More

Complex

▪ Mergers of hospitals with other business

▪ Use cloud based business services

▪ Hospital chain expanding their scope ▪ Building large ambulatory practice groups

▪ Outsourcing radiology, ICU and dialysis

▪ Standing up health insurance companies

▪ Manage privacy

▪ Audit activity

▪ Manage reliability 22

What is the Big Deal?

▪ Street cost for a stolen record: ▪ Medical: $50 vs. SSN: $1

▪ Payout for identity theft ▪ Medical:$20,000 vs. Regular: $2,000

▪ Medical records can be exploited 4x

longer ▪ Credit cards can be cancelled; medical

records can’t ▪ Medical Records Abuse

consequences ▪ Prescription fraud

▪ Embarrassment

▪ Financial fraud

▪ Personal data resale

▪ Blackmail/extortion

▪ Medical claims fraud

▪ Job loss/reputational 23

RSA Report on Cybercrime and the Healthcare Industry

❑ Majority of clinical fraud:

❑ Obtain prescription narcotics for

illegitimate use

❑ Free health care

TAKE A CLOSER LOOK AT

HIPAA

24

Topics

▪ HIPAA ▪ Why do those laws and regulations exist?

▪ Who is covered?

▪ What is covered?

▪ What is required or prohibited?

▪ What happens if I don’t comply?

25

HIPAA Overview

▪ The Health Insurance Portability and

Accountability Act of 1996 (HIPAA)

addressed insurance portability, fraud and

administrative simplification

▪ This act is watershed legislation for the

healthcare industry

▪ It resulted in substantial investment in e-

health initiatives and deployment of security

technology in the healthcare industry

26

HIPAA Goals

▪ Improve portability and continuity of health

insurance coverage in the group market

▪ Combat waste, fraud and abuse in health

insurance and healthcare delivery

▪ Promote the use of medical savings

accounts (HSAs)

▪ Improve access to long term care services

and coverage

▪ Simplify healthcare administrative data

exchange 27

Protected Health Information

▪ Healthcare providers must ensure the

confidentiality, integrity, and availability of

electronic protected health information (ePHI)

that the covered entity creates, receives,

maintains, or transmits

▪ Privacy Rule and Security Rule ▪ The privacy rule regulates uses and disclosures of

PHI,* while the security rule regulates the creation,

receipt, maintenance, and transmission of electronic

PHI.

▪ All electronic PHI is PHI subject to the privacy rule.

But not all PHI is electronic PHI—PHI is the larger

category and electronic PHI is a subset. 28

Privacy Rule and Security Rule

▪ Privacy Rule ▪ “Have in place appropriate administrative, technical,

and physical safeguards to protect the privacy of

protected health information.”*

▪ Applies to ALL PHI

▪ Need to know/Minimum necessary (to do jobs)

▪ Security Rule ▪ What policies/trainings/technologies are in place to

keep unauthorized people from seeing your data?

▪ Applies to Electronic PHI

▪ Does not apply to PHI on pieces of paper or to PHI

that is faxed over dedicated phone lines! 29

Omnibus Final Rule ▪ Took effect on September 23, 2013 ▪ The biggest change to HIPAA in 15 years

▪ Makes business associates of covered entities directly

liable for compliance with certain aspects of the HIPAA

Privacy and Security Rules’ requirements*

▪ Covered entity: healthcare providers, health plans,

healthcare clearinghouses

▪ The term business associates refers to any entity that

provides supporting products or services that are related

to PHI ▪ Create, receive, maintain or transmit PHI

▪ Business Associate Agreement (BAA) are formalized and

legally-binding documents where these entities

acknowledge their responsibilities for maintaining privacy

and security standards as part of the provider’s service. 30

*Source: U.S. Department of Health and Human Services

31

Devices & Integration Proliferating

Quickly ▪ Mobile apps

▪ Medical monitoring devices

▪ Medical delivery devices

▪ Wirelessly-connected Internet of Things (IoT)

mobile med-devices ▪ Wearable fitness monitor

▪ Smart watch

▪ Smart clothing

▪ Assisted mobile device diagnosis

▪ Consumer health record repositories

▪ Health information exchanges 32

Institutions Become More

Complex

▪ Mergers of hospitals with other business

▪ Use cloud based business services

▪ Hospital chain expanding their scope ▪ Building large ambulatory practice groups

▪ Outsourcing radiology, ICU and dialysis

▪ Standing up health insurance companies

▪ Manage privacy

▪ Audit activity

▪ Manage reliability 33

• Laptop/notebook • Tablet computers such

as iPads • Mobile/Cellular phones • Smartphones • PDA

Limits on uses and disclosures

Individual privacy rights

Administrative requirements

The

Privacy

Rule

3/6/2021 34

• Laptop/notebook • Tablet computers such

as iPads • Mobile/Cellular phones • Smartphones • PDA

Technical safeguards

Administrative safeguards

Physical safeguards

The

Security

Rule

3/6/2021 35

Organizational

Policies, Procedures and Documentation

Privacy and Security

36

Privacy: Covered Information

▪ Protected Health Information (PHI) includes patient identifiable data such as: ▪ Names, addresses, dates, phone numbers, email addresses,

SSN, license numbers, IP addresses, account numbers, etc.

▪ Any patient information created or received relating to past, present, or future condition; provision of health care; past, present, or future payments for health care provision

▪ De-identified health information is not considered PHI

▪ Privacy Rule ▪ Disclose policies for use and disclosure of information

▪ Privacy compliance program, including staff training

37

Permitted Disclosures

▪ PHI can be released without prior

authorization for Treatment,

Payment, and Health Care

Operations.

▪ As a general rule, anything else

requires specific written authorization

from the patient.

38

Example from Random Audit

Review ▪ Random Audit reveals employees snooping

in Emergency Department records

▪ For Cause Audit reveals employee looking

up lab results for family member

▪ High Profile Audit reveals employees

snooping in accident victim’s records

39

Examples of PHI Breach ▪ Local church reports medical records

received due to misdialed fax number

▪ Patient notified of breach due to test results

being given to another patient

▪ Patients notified of breach when email sent

with incorrect attachment

▪ Privacy investigation reveals unauthorized

disclosure, results in termination of 35+ year

nurse.

40

41

Can you

spot the

breach?

How about ransomware? ▪ Ransomware incidents treated as data

breaches under HIPAA

▪ Ransomware attacks constitute breach

unless there is substantial evidence to

contrary (US DHHS OCR) ▪ Must initiate security incident response and

reporting procedures as called for by HIPAA

Security Rule

▪ Must also follow risk assessment requirements of

HIPAA Breach Notification Rule

42

HIPAA Criminal Penalties

▪ UCLA researcher notified of termination. In

retaliation he accessed the medical records of his

superior, co-workers and celebrities. He was

convicted and sentences to 4 years in jail.

▪ LPN from medical clinic access PHI of patient and

gave it to her husband to use in a legal

proceeding against the patient. Both the LPN and

her husband were indicted.

▪ Trinity Medical Center (Birmingham, AL)

employee indicted for stealing identifying

information of 4,000 patients for committing

identify theft. 43

Examples and Exceptions

▪ A hospital (covered entity) adopts an electronic medical

records (EMR) system.

▪ If the EMR software vendor (business associate) needs

access to PHI then it would need to complete a BAA.

▪ If the hospital uses cloud-based services to store data

containing PHI then the cloud-based services provider

would need to complete a BAA.

▪ A BAA is not required for organizations, such as the US

Postal Service, certain private couriers and their

electronic equivalents that act merely as conduits for

protected health information

44

Additional Considerations ▪ Notices of Privacy Practices

▪ Breach Notification Requirements ▪ Patient(s) must be notified within 60 days;

▪ All breaches must be reported to the

Department of Health and Human Services

through the Office for Civil Rights

▪ Security Rule Compliance

45

The HIPAA Security Rule

▪ Requires covered entities to: ▪ Ensure protection against any reasonably

anticipated threats or hazards to the security or

integrity of information

▪ Protect against reasonably anticipated uses and

disclosures

▪ Ensure compliance by workforce

▪ Review and modify security measures periodically

to continue reasonable and appropriate protections

3/6/2021 46

The C-I-A Triad

▪ A widely used benchmark

for evaluation of information

systems security

▪ A system possessing all

three of these properties all

of the time is secure

▪ A system not possessing

one or more of these

properties at any time is not

secure

47

Three Pillars of HIPAA-HITECH

Compliance

48

Implementation Specifications

▪ Grouped into 5 Categories ▪ Administrative

▪ Physical

▪ Technical

▪ Organizational

▪ Policies, Procedures and Documentation

▪ Identified as “Required” or “Addressable” ▪ Required

▪ Addressable - based on sound, documented reasoning from risk analysis

49

Administrative Safeguards

▪ Designate an individual responsible for HIPAA

compliance for the organization

▪ Analyze security risks and implement policies

and procedures that prevent, detect, and

correct security issues

▪ Define sanctions for security violations

▪ Ensure members of the work force have access

to information appropriate for their jobs

▪ Implement termination procedures

▪ Implement procedures authorizing access 50

Administrative Safeguards (Cont.)

▪ Implement ▪ a security awareness and training program

▪ policies and procedures for reporting and

responding to security incidents and other

emergencies

▪ Periodically monitor adherence to security

policies and procedures, document results,

and make appropriate improvements

▪ Establish contracts between a covered entity

and business associates to ensure appropriate

safeguards are in place to protect ePHI 51

Physical Safeguards

▪ Limit physical access to equipment and

locations that contain or use ePHI

▪ Specify workstation and work area roles

and assignments where workstations with

access to ePHI are located

▪ Specify how workstations permitting

access to ePHI are protected from

unauthorized use, including laptops, PDAs,

etc.

▪ Address the receipt and removal of

hardware and electronic media that contain

ePHI 52

Technical Safeguards ▪ Implement policies and procedures limiting

access to ePHI to persons or software

programs requiring the ePHI to do their jobs

▪ Install hardware, software, or manual

mechanisms to examine activity in systems

containing ePHI

▪ Ensure policies and procedures that protect

ePHI from being altered or destroyed

▪ Implement mechanisms to protect ePHI that is

being transmitted electronically from one

organization to another 53

Organizational Requirements

▪ Document that business associate

contracts or other arrangements comply

with the security measures when handling

ePHI

▪ Ensure that business associates have

plans that document appropriate

safeguards for ePHI

54

Policies, Procedures and

Documentation

▪ Implement reasonable and appropriate policies

and procedures to comply with the standards,

implementation specifications, and other

requirements of the security rule

▪ Ensure that written or electronic records of policies

and procedures implemented to comply with the

security rule be maintained for a period of six

years from the date of creation or the date when

last in effect

55

Enforcement: Amount of CMP –

45 CFR § 160.404

56

Don’t Forget Criminal Penalties

▪ Congress also establish criminal penalties for

certain actions…

▪ Up to $50,000 and one year in prison for certain

offenses such as knowingly obtaining PHI

▪ Up to $100,000 and up to five years in prison if

the offenses are committed under false pretenses

▪ Up to $250,000 and up to 10 years in prison if

the offenses are committed with the intent to sell,

transfer, or use protected health information for

commercial advantage, personal gain, or

malicious harm. 57

Sample Data Request

58

Sample Data Request

59

WHAT ARE FCRA AND GLBA?

60

FCRA/FACTA ▪ Fair Credit Reporting Act/Fair and Accurate

Credit Transactions Act of 2003

▪ FACTA added sections to the FCRA-15 USC

1681 et seq ▪ Help consumers fight the growing crime of

identify theft

▪ Prescreen opt-out notice ▪ 16 CFR 642

61

Major FACTA Provisions

▪ Free report - annualcreditreport.com

▪ Prescreen opt-out notice

▪ Disclose credit scores to mortgage applicants

▪ Credit report fraud alert

▪ ID Theft database

▪ Sets a new standard for what the law calls "employee misconduct investigations.“ (no permission required from employees)

▪ Secure disposal of consumer information

▪ Red Flag rules (ruling by FTC) 62

Red Flag Rules: Why?

▪ Growing identify theft

▪ To detect and stop identity thieves from using

someone else’s identifying information to

commit fraud

▪ To address identity theft problems

▪ Identify and address problematic information

▪ Enforcing agencies

▪ Payment Card Industry (PCI) standards

63

What is the Red Flags Rule Regulation?

▪ The red flag fall into five categories: ▪ Alerts, notifications, or warnings from a

consumer reporting agency

▪ Suspicious documents

▪ Suspicious personally identifying

information (i.e., suspicious address)

▪ Unusual use relating to a covered

account

▪ Notices from customers, victims of

identity theft, law enforcement

authorities, or other businesses about

possible identify theft in connection with

covered accounts 64

Who Must Comply with the Red

Flags Rule?

▪ Financial institutions and creditors with covered

accounts must implement a written Identity

Theft Prevention Program to detect, prevent,

and mitigate identity theft in connection with:

▪ the opening of a covered account, or

▪ any existing covered account

▪ Program must be appropriate to the size and

complexity of entity and nature and scope of

activities

65

Red Flags Rule Requirement

▪ Financial institution- a state or national bank, a

state or federal savings and loan association, a

mutual savings bank, a state or federal credit

union, or any other person that, directly or

indirectly, holds a transaction account belonging to

a consumer.

▪ Creditor – organizations that regularly defer

payment for goods or services or provide goods or

services and bill customers later.

66

Enforcement of Red Flags Rule

Compliance Deadline ▪ Anyone with “covered accounts”

must be compliant as of June 1,

2010.

Audits ▪ The FTC can conduct

investigations to determine if a

business has taken appropriate

steps to develop and implement a

written Program, as required by the

Rule. If a violation occurs, the FTC

can bring an enforcement action. 67

Red Flags Rule and Existing Security

Program

68

Red Flag Rule Elements

▪ Must include reasonable policies and

procedures to:

▪ Identify relevant Red Flags and incorporate them into

the Program

▪ Detect Red Flags by setting up procedures to detect

those red flags in your day-to-day operations

▪ Respond appropriately to any Red Flags that are

detected

▪ Ensure the Program is updated periodically to address

changing risks

69

Gramm-Leach-Bliley Act (GLBA)

▪ Passed in 1999

▪ To protect consumers’ personal financial

information held by financial institutions ▪ Non-Public Personal Information (NPI)

▪ Broad definition of FIs (Financial Institutions)

▪ Authority given to eight federal agencies and to

states

▪ For FIs but good model for others

Source: https://www.ftc.gov/tips-advice/business-center/privacy-and-

security/gramm-leach-bliley-act 70

Nonpublic Personal Financial

Information

▪ Personally identifiable financial information

about an individual;

▪ Any list, description, or other grouping of

consumers (and publicly available information

pertaining to them) derived using any personally

identifiable financial information that is not

publicly available

▪ Income information, credit history, and premium

payment history

71

PII Definition – Generally Accepted

Privacy principles (GAPP)

▪ Previously known as the AICPA/CICA Privacy Framework

▪ Privacy definition

▪ PII: Information related to identified or identifiable individual ▪ Name, Address, Telephone, SS # or Other

Government ID Numbers

▪ Employer, Employment History

▪ Credit Card Numbers, Credit History, Purchase History

▪ Personal or Family Financial or Medical Information

72

Usual State PII Definition

▪ First and last name OR last name and first initial - plus ▪ Social Security Number OR

▪ Drivers’ License Number OR

▪ State Identification Number OR

▪ Debit or Credit Card Number OR

▪ Financial Account Number OR

▪ Medical Information OR

▪ Health Insurance Information

▪ Most state notification laws: PIN(Private Industry Notification) or access code in combination with account numbers in definition 73

GLB Overall Requirements

▪ Administrative, technical, and physical

protections

▪ Ensure confidentiality and security

▪ Protect against anticipated threats or hazards

▪ Protect against unauthorized access

▪ Comprehensive written information security

program

74

GLB – Privacy Rule

▪ Governs the collection and disclosure of

customers' personal financial information by

financial institutions

▪ Also applies to companies, whether or not

they are financial institutions, who receive

such information

75

GLB – Safeguards Rule

▪ Requires all financial institutions to design,

implement, and maintain safeguards to protect

customer information.

▪ Applies to ▪ financial institutions that collect information from their

own customers,

▪ financial institutions such as credit reporting agencies

that receive customer information from other financial

institutions

76

Safeguards Rule Objectives

▪ Ensure the security and confidentiality of

customer records and information – in paper,

electronic or other form

▪ Protect against any anticipated threats or

hazards to the security or integrity of such

records

▪ Protect against unauthorized access to or use

of any records or information which could

result in substantial harm or inconvenience to

any customer 77

Security Program

▪ Comprehensive process oriented approach ▪ Identify assets

▪ Conduct periodic risk assessments

▪ Develop and implement program that addresses

specific requirements

▪ Monitor and test program

▪ Continually review and adjust

▪ Oversee third party provider arrangements and

practices

▪ Check relevant external standards 78

Compliance and IT Risk Management

Challenges

79

Terms for Quiz 2 (Unit 2, 3 and 4) ▪ Archive

▪ Bill of Rights

▪ Business Drivers for ERM

▪ CIA

▪ Classification

▪ Disposition principles

▪ Document

▪ EDRMS

▪ EHR

▪ FACTA

▪ FCRA

▪ FERPA

▪ GAPP

▪ GLB

▪ HIPAA

▪ Least Privilege

▪ Nonpublic Personal Financial

Information

▪ PCAOB

▪ PCI

▪ PHI

▪ PHR

▪ PII

▪ Preservation

▪ Records

▪ Records lifecycle

▪ Records Management

▪ Retention principles

▪ SEC

▪ SOX

▪ Zones 3/6/2021 80