POPULARITY
Episode 444: Guess the Culprit of the Latest HIPAA Penalty: It's MFA and Phishing Scams Welcome solo and group practice owners! We are Liath Dalton and Evan Dumas, your co-hosts of Group Practice Tech. In our latest episode, we dive into the importance of secure phone communications for therapy providers. We discuss: Instances of monetary HIPAA penalties Sharing login credentials between workforce members vs with unauthorized third parties The importance of multi factor authentication Using the Google Authenticator app for MFA Listen here: https://personcenteredtech.com/group/podcast/ For more, visit our website. Resources: About the violations & penalty: HHS Office for Civil Rights Imposes a $548,265 Penalty Against Children's Hospital Colorado for HIPAA Privacy and Security Rules Violations PCT Resources: Related Training (non-CE): Security Awareness Grab-Bag A collection of three short courses helping you and your staff maintain your security awareness through better handling of PHI in public, avoiding inappropriate disclosures, and preventing phishing and social engineering attacks. Referenced podcast: Episode 440: MFA Made Easy with Google Authenticator Group Practice Care Premium weekly (live & recorded) direct support & consultation service, Group Practice Office Hours -- including monthly session with therapist attorney Eric Ström, JD PhD LMHC + assignable staff HIPAA Security Awareness: Bring Your Own Device training + access to Device Security Center with step-by-step device-specific tutorials & registration forms for securing and documenting all personally owned & practice-provided devices (for *all* team members at no per-person cost) + assignable staff HIPAA Security Awareness: Remote Workspaces training for all team members + access to Remote Workspace Center with step-by-step tutorials & registration forms for securing and documenting Remote Workspaces (for *all* team members at no per-person cost) + more HIPAA Risk Analysis & Risk Mitigation Planning service for mental health group practices -- care for your practice using our supportive, shame-free risk analysis and mitigation planning service. You'll have your Risk Analysis done within 2 hours, performed by a PCT consultant, using a tool built specifically for mental health group practice, and a mitigation checklist to help you reduce your risks.
In December 2023 the U.S. Department of Health and Human Services reported that the medical data of more than 88 million people was exposed in the first ten months of 2023. A 2018 Trustwave Global Security Reported that a single healthcare record would receive an average of $250.15 when sold, 50 times more valuable than a stolen credit card. 92% of stolen patient records were criminally acquired. This is a 9x increase over the past five years affecting over 145 million people. Patient Healthcare Information is the most sensitive, valuable and prolific security challenge of the present day. Thankfully, we have this information due to the oft-maligned HIPAA law. Truly innovative for its time and often updated due to its popularity, it is a great accomplishment in privacy law. However, like most laws, its implementation for a business can be fraught. Consulting on HIPAA has become its own industry with an army of consultants and legal experts. In this episode of Strike Graph we are going to delve into the 2nd edition of “The Practical Guide to HIPAA Privacy and Security Compliance.” with the authors Rebecca Harold and Kevin Beaver. The discussion highlights the importance of a comprehensive approach to HIPAA compliance, common myths, and challenges facing healthcare organizations today. The episode also addresses the growing threat of cybercrime, the evolving landscape of data security, and practical steps organizations can take to safeguard patient information. A must-listen for professionals navigating the complex world of healthcare data security.
Welcome solo and group practice owners! We are Liath Dalton and Evan Dumas, your co-hosts of Group Practice Tech. In our latest episode, we're sharing information about updated HIPAA rules regarding privacy around discussions regarding reproductive health. We discuss important dates to be aware of; the main bullet points of the Final Rule; the impact Notice of Privacy Practices; what is and is not acceptable to disclose, and when; understanding the implications of this rule; and related resources on this topic from PCT. Listen here: https://personcenteredtech.com/group/podcast/ For more, visit our website. Resources HIPAA Privacy Rule Final Rule to Support Reproductive Health Care Privacy: Fact Sheet HIPAA Privacy Rule to Support Reproductive Health Care Privacy [Final Rule] PCT Resources PCT CE training: Law & Ethics Of Clinical Documentation For A Post Roe World (1 legal-ethical CE credit hour, on-demand training) Group Practice Care Premium weekly (live & recorded) direct support & consultation service, Group Practice Office Hours -- includes monthly session with therapist attorney, Eric Ström, JD PhD LMHC + assignable staff HIPAA Security Awareness: Bring Your Own Device training + access to Device Security Center with step-by-step device-specific tutorials & registration forms for securing and documenting all personally owned & practice-provided devices (for *all* team members at no per-person cost) + assignable staff HIPAA Security Awareness: Remote Workspaces training for all team members + access to Remote Workspace Center with step-by-step tutorials & registration forms for securing and documenting Remote Workspaces (for *all* team members at no per-person cost) + more
Welcome solo and group practice owners! We are Liath Dalton and Evan Dumas, your co-hosts of Group Practice Tech. In our latest episode, we summarize what group practice owners should know about the Office of Civil Rights Annual Reports to Congress and explain how understanding them can inform risk management. We discuss the compliance report from the Office of Civil Rights (OCR); how complaints filed were resolved; compliance reviews vs. audits; reframing the (very common) fear of HIPAA complaints; the unsecured PHI report from the OCR; risk management for avoiding large breaches; the importance of reporting breaches; and the primary sources of breaches and ways to minimize them. Listen here: https://personcenteredtech.com/group/podcast/ For more, visit our website. References Annual Report to Congress on Breaches of Unsecured Protected Health Information Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance PCT Resources Group Practice Care Premium weekly (live & recorded) direct support & consultation service, Group Practice Office Hours + assignable staff HIPAA Security Awareness: Bring Your Own Device training + access to Device Security Center with step-by-step device-specific tutorials & registration forms for securing and documenting all personally owned & practice-provided devices (for *all* team members at no per-person cost) + assignable staff HIPAA Security Awareness: Remote Workspaces training for all team members + access to Remote Workspace Center with step-by-step tutorials & registration forms for securing and documenting Remote Workspaces (for *all* team members at no per-person cost) + more HIPAA Risk Analysis & Risk Mitigation Planning service for mental health group practices -- care for your practice using our supportive, shame-free risk analysis and mitigation planning service. You'll have your Risk Analysis done within 2 hours, performed by a PCT consultant, using a tool built specifically for mental health group practice, and a mitigation checklist to help you reduce your risks. PCT's Group Practice PCT Way HIPAA Compliance Manual & Materials -- comprehensive customizable HIPAA Security Policies & Procedure and materials templates specifically for mental health group practices. with a detailed step-by-step project plan and guided instructions for adopting & implementing efficiently **includes policy prohibition on use of BCC and CC; workforce forwarding emails from their practice email account to personal email account; data entry checking/not using autofill suggestions for recipients -- the P&P components that address the email gone awry situations we discussed in the podcast episode Policies & Procedures include: Customizable templates that address each of the HIPAA Security Rule Standards. Ready for plug-and-play real practice application. Computing Devices and Electronic Media Technical Security Policy Bring Your Own Device (BYOD) Policy Communications Security Policy Information Systems Secure Use Policy Risk Management Policy Contingency Planning Policy Device and Document Transport and Storage Policy Device and Document Disposal Policy Security Training and Awareness Policy Passwords and Other Digital Authentication Policy Software and Hardware Selection Policy Security Incident Response and Breach Notification Policy Security Onboarding and Exit Policy Sanction Policy Policy Release of Information Security Policy Remote Access Policy Data Backup Policy Facility/Office Access and Physical Security Policy Facility Network Security Policy Computing Device Acceptable Use Policy Business Associate Policy Access Log Review Policy Forms & Logs include: Workforce Security Policies Agreement Security Incident Report PHI Access Determination Password Policy Compliance BYOD Registration & Termination Data Backup & Confirmation Access Log Review Key & Access Code Issue and Loss Third-Party Service Vendors Building Security Plan Security Schedule Equipment Security Check Computing System Access Granting & Revocation Training Completion Mini Risk Analysis Security Incident Response Security Reminder Practice Equipment Catalog + Workforce Security Manual & Leadership Security Manual -- the role-based practical application oriented distillation of the formal Policies & Procedures + 2 complimentary seats of the Security Officer Endorsement Training Program (1 for Security Officer; 1 for Deputy (or future Deputy) Security Officer.
True Birth discusses new tech in pregnancy. Pregnancy is a time of wonder and anticipation, but it also comes with its share of medical checkups and monitoring. Traditional prenatal care often involves frequent visits to the doctor's office, which can be time-consuming and inconvenient for expectant mothers. However, with advancements in technology, a revolutionary change is underway in obstetrics, ushering in the era of fetal monitoring at home. In this episode, we'll delve into a groundbreaking company that has paved the way for this transformation, offering the first FDA-cleared, remote monitoring system designed to make pregnancy care more accessible and convenient. Redefining Pregnancy Care At the forefront of the digital health revolution in obstetrics is new tech that is redefining the way expectant mothers and healthcare providers monitor pregnancies. Their innovative solution is a physician-prescribed, pregnancy monitoring system that empowers women to collect vital data and track their progress comfortably and conveniently from the comfort of home. The Ease of Frequent Monitoring: One of the key challenges in traditional prenatal care is the need for frequent monitoring of both the mother's and baby's well-being. This tech makes this process easier and more accessible. The system includes user-friendly devices that allow expectant mothers to perform monitoring sessions in the comfort of their own homes. These sessions are simple, comfortable, and, dare we say, a joy to do. Data Privacy and Security: One of the major concerns in remote healthcare is data privacy and security. With this new technology providers and patients can be assured that the data captured during readings is fully compliant with the HIPAA Privacy and Security Regulations. This means that your sensitive health information is protected, giving you peace of mind while you track your pregnancy progress remotely. Accurate Diagnoses and Predictions: The data collected throug a remote monitoring system isn't just for show. It plays a crucial role in enhancing the accuracy of diagnoses and predictions related to pregnancy. By continuously monitoring key metrics and trends, healthcare providers can better understand and respond to any potential issues or deviations from the norm in real-time. This proactive approach can lead to better outcomes for both mother and baby. Empowering Mothers: Perhaps one of the most significant advantages of this technology is how it empowers expectant mothers. No longer do you need to rely solely on periodic visits to your healthcare provider to understand your pregnancy's progress. With a remote monitoring system, you have access to real-time data that allows you to actively participate in your own care and make informed decisions about your pregnancy journey. Conclusion: These new ideas and innovations exemplify how technology can revolutionize healthcare, making it more accessible, convenient, and patient-centric. As we look toward the future of obstetrics, it's clear that innovations like these are poised to transform the way we approach pregnancy care, providing expectant mothers with greater peace of mind and control over their health. The journey to motherhood has never been more empowering. Your feedback is essential to us! We would love to hear from you. Please consider leaving us a review on your podcast platform or sending us an email at info@maternalresources.org. Your input helps us tailor our content to better serve the needs of our listeners. For additional resources and information, be sure to visit our website at Maternal Resources: https://www.maternalresources.org/. You can also connect with us on our social channels to stay up-to-date with the latest news, episodes, and community engagement: Twitter: https://twitter.com/integrativeob YouTube: https://www.youtube.com/maternalresources Instagram: https://www.instagram.com/integrativeobgyn/ Facebook: https://www.facebook.com/IntegrativeOB Thank you for being part of our community, and until next time, let's continue to support, uplift, and celebrate the incredible journey of working moms and parenthood. Together, we can create a more equitable and nurturing world for all.
In this episode, Chase Cannon and Suzanne Spradley discuss employer compliance with the HIPAA privacy and security rules via lessons learned from three new HHS HIPAA settlement announcements. Chase leads off with a high-level review of the HIPAA rules for both fully and self-insured plans and the importance of safeguarding protected health information (PHI). Chase and Suzanne discuss the background and scenarios that led to the HHS investigation, how unauthorized access to PHI arose in the three settlement scenarios, and the importance of employers running a HIPAA risk assessment to get ahead of potential HIPAA problems. Chase and Suzanne share practical tips on HIPAA compliance, including training employees, involving IT and Technology teams when developing policies and procedures, and controlling access points (servers, emails, etc.) to electronic and physical PHI.
Welcome to the Healthcare Compliance Insights podcast, a series focused on healthcare regulatory, revenue integrity, compliance, and risk management topics. In this episode, BerryDunn healthcare consultant Robyn Hoffmann is joined by BerryDunn colleague Dr. Trisha Lee and special guest Linda Green, a Chief Compliance and Privacy Officer and Director of Quality Improvement at Wood River Health, a Federally Qualified Health Center (FQHC). The topic? Strategies and recommendations for maintaining patient privacy in a world dominated by social media and online reviews. To skip the introductions and get right to the podcast, please go to 4:42 of the episode.
Sean was joined by Elliot Golding of McDermott Will & Emery to discuss all things HIPAA Privacy and Security, Information Blocking, and a few more critical aspects of cybersecurity! This episode is a must for all medical practices, hospitals and health systems to ensure your compliance with the ever-changing landscape! Elliot is Sean's go-to when it comes to Data Privacy and Cybersecurity! About Elliot Golding: Elliot Golding (CIPP/US) is a partner in McDermott Will & Emery's Data Privacy and Cybersecurity Practice. Elliot provides business-oriented privacy and cybersecurity advice to a wide range of clients, with a focus on health care/life sciences, technology (including "digital health"), ecommerce, financial, and other sectors that frequently handle personal information. His practical approach helps clients balance legal risk with business needs, particularly relating to innovative issues such as “digital health” technologies, the Internet of Things, data monetization, online advertising technology, big data and Artificial Intelligence/Machine Learning tools (particularly in the health research context). He has extensive experience helping clients navigate the patchwork of evolving legal standards and best practices, including:--Federal laws, such as HIPAA/HITECH, Information Blocking and Interoperability Rules, 42 CFR Part 2, GLBA, COPPA, health research rules, marketing rules (TCPA, CANSPAM, etc.), --US state laws, such as CCPA (and for coming laws in CA, CO, VA, CT, and UH), CMIA, CalFIPA, laws governing sensitive health and financial information, and state laws governing security and breach notification--industry standards (such as DAA/NAI self-regulatory principles, PCI-DSS, and security standards (such as NIST and ISO). Elliot has also handled hundreds of breaches and security incidents through all aspects of investigation, notification, remediation and engagement with regulators. He has received awards for his expertise from numerous publications, including Bloomberg and Global Data Review. Elliot also chairs several American Bar Association committees including the Privacy, Security and Emerging Technology Division; E-Privacy Law Committee, and Biotechnology, Healthcare Technology, and Medical Device Committee.
The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends, and industry-leading practices, specifically for the healthcare industry. In this episode, our host Britton Burton highlights the following topics trending in healthcare cybersecurity this month: A new National Cybersecurity Strategy coming from the Biden administration in the next few weeks Healthcare cybersecurity legislation with mandatory requirements coming from Senator Mark Warner by the end of 1Q More ChatGPT analysis on malware writing and that it is NOT suitable for use in a HIPAA Privacy compliant manner A small hospital in Illinois closes due to COVID expenses and a cyber attack that shut down billing The new Rural Emergency Hospital rule for struggling critical access and rural facilities The impact of travel nursing on cybersecurity FBI and Hive ransomware + why FBI wants more victims to call them Microsoft OneDrive takes first place for cloud app malware distribution A new DDoS threat from KillNet against healthcare and what to do about it An interesting update from the Russian/Ukraine war A call for community help on the evolution of NIST CSF and CSA CCM
Welcome to the Healthcare Compliance Insights podcast, a series focused on healthcare regulatory, revenue integrity, compliance, and risk management topics. In this episode, Regina Alexander discusses HIPAA Privacy and Patient Right of Access with Helen Hadley, a now retired BerryDunn Healthcare Practice Group Principal.
In this episode of CHATTINN CYBER, Marc Schein interviews Joseph J. Lazzarotti, Principal in the Berkeley Heights, New Jersey, office of Jackson Lewis P.C. He founded and currently co-leads the firm's Privacy, Data and Cybersecurity practice group, edits their Privacy Blog, and is a Certified Information Privacy Professional (CIPP) with the International Association of Privacy Professionals. Trained as an employee benefits lawyer focused on compliance, Joseph also is a member of the firm's Employee Benefits practice group. During the conversation, Marc and Joseph explore the latter's insightful cybersecurity journey, Jackson Lewis's growth and service offerings, and the importance of better client-service provider rapport in cyber insurance. Joseph started at Jackson Lewis in the early 2000s as an ERISA and tax attorney doing employee benefits work. At the same time, the HIPAA Privacy and Security Rules and the first data breach notification law in California were passed, which piqued Joseph's interest. It led him to investigate cyber security issues for clients, and he gradually built a growing team around it. Jackson Lewis stands as a forerunner in insurance panels with a fair advantage of deep experience dealing with carriers. They understand the rate pressures, the need for responsiveness, the process of doing insured work, and encourage meaningful customer relationships. Over the years, clients have started to become more engaged in buying cyber insurance. Though one could attribute it to a contractual obligation, they're mainly concerned about dependent business interruption from a cyber incident. To help with that, Joseph advises firms to examine the coverages, risks, retention, coinsurance, and related aspects to better understand the client business and help them achieve their sayings wisely. Interestingly, people tend to have a good relationship with their brokers on the health plan side. Joseph hints at how the trend is gradually setting in in cyberspace as more cyber firms are working on building better client relationships by assessing and handing policies that genuinely benefit them. Further in the dialogue, Marc and Joseph discuss cyber compliance and its ever-changing landscape. Though the term has existed for a long time, it has continually evolved with new amendments to cyber laws and acts and varies from institution to institution. It's necessary to comply with any regulations, for non-compliance can impact your reputation. Highlights: “Compliance is a great word, and it means different things to different people. Some people, when they hear compliance, they're like, well, if we're 80% of the way there, that's good enough, that's compliant.” “Compliance also means doing all the things that you need to do with respect to the regulatory environment in which you're in. And for different companies, that means different things.” “You may not be able to make information available to your customers, you may impact your reputation, all of that also plays into compliance in the sense that if we comply with a reasonable set of safeguards, we can really save our business.” “What's interesting there is this personal liability, potentially, right with fiduciary obligations under ERISA for companies that don't do that, for individuals who don't meet their fiduciary role, as well as on the other side for advisors and other entities that service plans.” Time-Stamps: [00:43] - Joseph's entrepreneurial journey [03:43] - Where to contact Joseph [05:17] - Advice around insurance coverage for clients [12:33] - Cyber compliance amid the rapidly changing organizational landscape Connect with Joseph: Email: joseph.lazzarotti@jacksonlewis.com
We send and receive email every day so it would seem natural to send emails to your patients. But what if the emails contain protected health information? How do you make email HIPAA compliant?How you will use email with protected health informationThe first questions to ask are, “Is my email network is behind a firewall?” Are you only emailing protected health information between you and your staff within the confines of the firewall? If you answer yes to both questions, then you don't need to encrypt your emails. But, you do need access controls for email accounts so that only those individuals who are authorized have access to protected health information.On the other hand, if you intend to use email to send protected health information externally, you are responsible for protecting the protected health information—in other words, making it HIPAA compliant. Encryption is the key to making your email HIPAA-compliant but it's not that simple. Many email service providers that offer an encrypted email service are not HIPAA compliant because they do not incorporate all the necessary safeguards to meet the requirements of the HIPAA Privacy and Security Rules. Here are some of the things you will want to consider to make your email is HIPAA compliant Ensure you have end-to-end encryption for emailEnter into a HIPAA-compliant business associate agreement with your email providerThe most important step—Develop policies on the use of email and train your staffEmails containing PHI need to be retained for 6 yearsSecure, encrypted email archiving saves storage space and is indexed making its easier to searchObtain consent from patients before communicating with them by emailHIPAA email compliance should be included in your compliance plan. You don't want something we all do every day—send and receive emails to get you into HIPAA trouble. If you are unsure of the requirements of HIPAA compliant speak with a healthcare attorney that specializes in HIPAA to advise you of your responsibilities and the requirements of HIPAA with respect to email.For a full searchable copy of the transcript, https://www.thepracticebuildingmd.com/podcastIf you'd like to hear more tips on how to start, run and grow your practice and related medical businesses, please sign up for my newsletter at https://www.thepracticebuildingmd.com. And, be sure to join my FB group, The Private Medical Practice Academy. Enroll in my course, How To Start Your Own Practice and get the step-by-step process for opening your doors. Or join The Private Medical Practice Academy Membership for live group coaching, expert guest speakers and everything you need to know to start, grow and leverage your private practice.
On This Week's Best Of: From our National Conference, WEDI's Privacy and Security workgroup co-chairs, Marilyn Zigmund Luke (AHIP) and Tina Grande (Healthcare Leadership Council) host a roundtable discussion on the evolution and challenges of securing patient data in today's healthcare IT environment. The panelists: Lina Walker, PhD, Vice President, Health Security, AARP Mari Savickis, Vice President , Public Policy, CHIME Laura Hoffman, JD, Assistant Director, Federal Affairs, American Medical Association
Hard to believe that this is our official 300th episode! We are still a tiny podcast in a huge sea but we are pretty sure you can not find a longer running podcast about HIPAA Privacy and Security. To celebrate we have some very special guests, Dave Bittner and Ben Yellen from the CyberWire Caveat podcast. They are joining us for a discussion about where we all see things going in the future for data privacy laws and cybersecurity protections. More info at HelpMeWithHIPAA.com/300
Healthcare Practice Group member Maggie K. Martin explains the Health Insurance Portability and Accountability Act (HIPAA) and how it comes into play for patients and healthcare providers alike. From the current state of patient access to talk of a vaccine passport and a proposed new rule under consideration, Maggie discusses HIPAA's impact and the latest legislation being considered that may affect healthcare policies and patients' rights.About Maggie K. MartinConnect with Crowe & Dunlevy:Website | Facebook | Twitter | LinkedIn
Wes Morris, Clearwater, and Kirk J. Nahra, WilmerHale, discuss the recently-issued Health Insurance Portability and Accountability Act (HIPAA) proposed rule. The podcast discusses key changes made by the proposal, including changes to the minimum necessary standard for care coordination and other information disclosure changes. Sponsored by Clearwater.
We always know when serious stuff has happened behind the scenes and OCR got involved. Some major violations of privacy rights must have happened when we see the OCR notice reminding everyone that you can not share patient information with the media without authorization. More info at HelpMeWithHIPAA.com/256
Attorney John Waters discusses an HHS Bulletin on HIPAA and the Novel Coronavirus.
HIPAA Privacy Rights aren't really about privacy. It’s more of a road map to grab your private health information. Just how much can they access? Settle in and pay close attention to America’s foremost health privacy expert, Twila Brase, RN, PHN, as she shares the overall landscape. Gird your loins for a dive to ground level where a patient tells a doctor everything. What happens after that, is of deep concern for every American, regardless of a political party. It’s especially important for future generations and for people with health histories they’d not like published on the Internet. But, there’s a little-known secret to solve the current mess we are in. One stroke of a pen is all that’s needed. Come November 2020, the question we all must ask is who will most likely do it? Twila Brase is the President and Co-Founder of the Citizens Council for Health Freedom: https://www.cchfreedom.org/ She is the author of the bestselling book, Big Brother in the Exam Room: The Dangerous Truth about Electronic Health Records. Available here from Amazon: https://amzn.to/32EAswE or http://bigbrotherintheexamroom.com More of the links to topics mentioned on the show: Get out of the system: https://jointhewedge.com/ Admiral Michael Rogers at the Cleveland Clinic. Compare what NSA must do to read an American citizen's email or listen to a phone call. (22:39 mark medical privacy and the threat): https://www.youtube.com/watch?v=EU5UCCVT4D0&t=1428s Q & A Session (with a good question at the 20:13 mark about government databases): https://youtu.be/GsHAZ1-uW2c Visit Winning Healthcare Food Fights at: https://winhff.com Copyright 2020 – Winning Health Care Food Fights --- Send in a voice message: https://anchor.fm/winhff/message
In part two of this two-part series, Dorothy Cociu interviews IT Privacy and Security Consultant Ted Flittner of Aditi Group on the technical security side of HIPAA, as well as the impact HITECH has on your firm. In addition, Ted and Dorothy will discuss some of the pitfalls your firm could fall into, and how to improve overall IT Security for your business. They delve into details of HIPAA and HITECH as well as data breaches, ransomware, hacks, passwords, spear phishing, who is a target of hackers and actions you can take to minimize risk. These topics are relevant to everyone, not only those under HIPAA requirements, but businesses in general, as well as us at home.
In this part one of our two part episode, IT Privacy and Security Consultant Ted Flittner of Aditi Group interviews Dorothy Cociu on HIPAA Privacy and Security. This illuminating interview will focus on the physical and administrative security side of HIPAA. You'll learn about what HIPAA is, it's history, how non-compliance could cripple your business and fundamentals and nuances for compliance.
Laura Franco, VP/Director of Post-Acute Regulatory Strategy, LCS, discusses Social Media and HIPAA Privacy in the Healthcare Setting with Attorney Jo Ellen Whitney, Davis Brown Law Firm.
Our great time at Sage Intacct Advantage 2019 continues, as we take some time to talk with Mariana Antcheva, VP Legal for Sage Intacct. We dive into all things HIPAA, privacy, security, compliance, and some of the newest regulations that may impact accountants and bookkeepers dealing with sensitive client information. Mariana, one of Sage Intacct Advantage's highest-rated speakers, began her legal career in Bulgaria, moved to the States, developing a wide range of expertise and skills in the SaaS and tech sectors revolving around IP strategy, e-commerce, privacy, and compliance.
HIPAA Security Rule requires compliance to protect sensitive medical information. Attorney Brad Trudell, HIPAA Privacy and Security Lead, discusses the HIPAA Security Risk Assessment Process.For more information visit www.metastar.com/sra.
In the podcast, Jane Smith Patterson discusses her childhood and education, career, accomplishments while serving in NC Governor Jim Hunt's administration, and how NCHICA was founded. Jane, a lifelong activist to advance fair and equal treatment for minorities and women, was involved in the early Civil Rights movement, Equal Rights Amendment, and ACLU, and met leaders like Martin Luther King and Jimmy Carter. She was also a visionary who recognized early on the power of computers and how they could transform the state's economy and healthcare. She was involved in building the state's "information highway" while working in Governor Hunt's administration, and advanced it worldwide while with ITT. In 1994, she wrote the Executive Order signed by Gov. James Hunt that established NCHICA, the North Carolina Healthcare Information and Communications Alliance, to advance healthcare through the use of information technology. NCHICA was a pioneer in transforming the U.S. healthcare system, and is credited with being the founder of the HIPAA Privacy law. Janet Kennedy of Get Social Health is our podcast host.
Pharmacy Compliance Guide Attestations & Certifications Every fall we hear the PBMs sending out requests for Attestations for Fraud, Waste and Abuse and HIPAA Compliance. Why do they all keep asking for the same information? When Medicare Part D came into play, the Pharmacy Benefit Managers were given the regulatory authority to manage the Medicare Part D program. Part of this program was ensuring pharmacies were properly training their staff. It initially started with annual: Fraud, Waste & Abuse Training, OIG Exclusion Verification, and HIPAA Compliance Training Then each fall, everyone had to attest they accomplished these requirement for Medicare Part D. Unfortunately, a lot of pharmacies and organizations signed off of the attestations and really didn't do it. The attestation is a legal statement where the individual, the pharmacy owner and/or the pharmacist-in-charge was legally attesting they were accomplishing the training and had no documentation to support their claim. Legally this was a false claim under Medicare Part D and the PBM can and did recoup all Part D reimbursements from the pharmacy, which was devastating. The PBMs then added to their requirements over the years making them sticker and more over bearing. Most especially is the OIG Exclusion verification requirement. Only pharmacy in all of health care must accomplish this task every month. It started with just one database, the Office of Inspector General, then were added the General Services Administration (GSA) and the Systems for Award Management (SAM). The GSA and SAM have publicly merged into one, but as of today, we are still receiving a database from each of them. In addition, individual states are developing their own exclusion lists that must be checked. There is no standard for the lists. Some are managed by the health departments, others by the Attorney General or the Treasury Department. Jeff, let's break these requirements down. What is involved with the Fraud, Waste and Abuse requirement besides the OIG Exclusion? Fraud, Waste and Abuse really is not hard to comply with. It is having established policies and procedures and training. However, when someone gets in trouble with the government with stealing money through claims or misleading patients, the Fraud, Waste and Abuse processes is where all of the federal penalties come from. There are ten (10) basic policies and procedures from Fraud Waste and Abuse Prevention, Anti-Kickback, Conflict of Interest, False Claims, Whistleblower Protection and General Compliance. When you look at these policies and procedures, they are mostly common sense. Bill for what you dispense and treat patients like they are your family. There are several methods of training. CMS has training modules and like all things created by the government and their lawyers it is complicated. To use these training modules, each employee logs into the CMS system, establishes a user name and password, then embarks on a one-hour on-line training session, with on-tests along the way. When the employee has the completed the training, he or she will have a CMS training certificate for Fraud, Waste and Abuse with General Compliance. There are several problems with this training: Who has the time and the computers to have each employee to spend one hour going through the training program? In the statute Title 42 C.F.R. 422.504(B)(4)(vi) and the Medicare Prescription Drug Benefit Manual, Chapter 9, you are to train on the pharmacy's policies and procedures, which the CMS Module does not do meet There is no requirement for a test We covered the OIG/GSA/SAM verification above, however, most people have the opinion the OIG check is only for employees. This is not correct. The statutes specifically states: “Any individual or entity that has been convicted…” Jeff, I never heard this before, so what is an entity? The best definition I have been able to define is: a HIPAA Business Associate and any vendor you purchase a product from that you then dispense to a Medicare or Medicaid patient. It also includes: 1099 employees, part-time employees and contractors. So the question is are you verifying these entities? CVS/Caremark is checking this on their on-site inspections. So what is the HIPAA requirement? HIPAA has been around since 2003. We had a podcast earlier this year on HIPAA breaches and desk audits. If you haven't listen to it. It is quite important. HIPAA requires all health care providers and Business Associates to have a HIPAA Privacy and Security policies and procedures. Annual training on these policies occurs on how HIPAA relates to your operations. Our listeners will primary need privacy training on interactions with their patients and their requests, handling Protected Health Information and most importantly what to do when a breach occurs. Jeff, I remember the podcast on HIPAA Breaches. That was one of the most informative podcasts we have had and if you don't do anything when they occur will lead to millions in finds. So I understand there was a new requirement added this year to attestations. Yes, Cultural Awareness Training. This was originally part of the Affordable Care Act but it was struck down by the federal courts in November 2016. But Humana and CVS/Caremark brought it back to life. This is a training to ensure the pharmacy and the staff understand the culture of your patients and the language skills if they can't speak English. My biggest concern with this added requirement for community independent pharmacies is we all live in our communities. We know our communities. If there are a second or third language in the neighborhood, we hire staff who speak these languages. We understand the local customs and cultures. Why would anyone offend your patients, who would then go to your competitor? That might make sense inside the Washington Beltway or an insurance company board room, but not in an independent pharmacy. Now let's talk about Credentialing. What is it and why do we have to deal with it. Credentialing is simply the validation of the attestations. These normally start in late January. The PBMs want to see proof. These are mostly completed on-line or via fax. However, CVS/Caremark and OptumRx are doing follow-up on-side inspections. Each PBM has their own list of items to send in or provide the on-site auditor: Fraud, Waste and Abuse training certificate or Log I recommend only sending the Pharmacist in charge, not the entire staff HIPAA training certificate or log I recommend only sending the Pharmacist in charge, not the entire staff Specific pharmacy operational policies and procedures Pharmacy licenses Pharmacist-In-Charge License Other miscellaneous requests All in the effort to validate the attestation that was submitted in the fall were correct Does anyone look at these documents? Good question. There are 26,000 plus independent pharmacies submitting documentation. Just the volume of documents is huge. The server size to store the data year after year will be in the terabytes. But I do know they do a random checks. Are there any penalties? Yes, if you falsify an attestation, the pharmacy is in jeopardy of losing all Part D reimbursements for the period or year in question. Plus the pharmacy is in breach of contract and will be drop from the contract. It really can't get much worse than that. OK, what was this NCPDP credentialing about in August? This has been on my radar. I met with NCPDP in 2016 about this project and then again at the NCPA convention in Orlando this year. NCPDP developed a platform to help pharmacies report one time, rather than multiple times each year. The concept is good. But there are challenges and concerns. First, the development was with chain pharmacies with no independent involvement. The reason was NCPDP had a massive test pool with the same organizations. It's logical, but there are more independents than chain pharmacies. This program works with the PBMs but not with the PSAOs who still are requesting the same information. So it does reduce the amount of reporting. Now my major concern is NCPDP is sharing the information they are collecting with different organizations. They are updating your NPI information. OK, that is good. But they are also sending it to the National Supplier Clearinghouse. Here is the concern. If the data submitted to NCPDP differs from the CMS 855S Medicare Enrollment Application, NSC's process is to deactivate the PTAN. If you catch it right away, the pharmacy can re-activate the PTAN with no issue. However, if the pharmacy does not catch it because they are not reconciling their reimbursements on a weekly basis and PTAN is deactivated for a period of time, the pharmacy must reactivate their PTAN from scratch. If the pharmacy had “Exempt” status, depending on the length of time, the pharmacy loses the exemption and they must start over with accreditation to continue to dispense DMEPOS products. I have seen this done already. It is as simple as changing your hours of operation, updating the NCPDP credentialing website and not updating your Medicare 855S and your PTAN is deactivated. This is a very costly error that no one thought about. Jeff, how can you prevent that from happening? Don't let just anyone complete these attestations and credentialing documents. Complete them all the same way, every time. Keep copies so you are consistent. Always know what your CMS 855S Medicare Enrollment Application states. When a change is made on the NCPDP website, make the same change on the CMS 855S application. Is there anything else the pharmacies need to be aware of for Credentialing? Yes, one very important item. Continuous Quality Improvement Certificates are required for Medicare Part D. Every pharmacy is required to have a Continuous Quality Improvement (CQI) program. The CQI certificate is generated by an organization certifying the pharmacy has an active CQI program. This is normally through a Patient Safety Organization. We talked about a PSO on our last podcast with the Alliance for Patient Medication Safety. We can see the PBMs looking at the CQI certificates more closely in 2018. For my clients, make sure you continue with the PQC+ entries so you can pull the CQI certificates when these requests start in January and February. If you are not sure if you have a CQI program or how to get your CQI certificate, the process is not a week or two quick fix program. There are a number of items that are required to be completed. Check out our last podcast on Patent Safety. There are not a lot of organizations talking about these subjects, especially the CQI programs and certificates. I keep my podcast factually based, but on the Continuous Quality Improvement program, certificates and enrollment with a patient safety organization, this is part of our standard pharmacy compliance program that we offer. To my knowledge, no other consulting firm offers these services. Jeff, so wrapping up, on our conversation today, you always bring items to us that no one is talking about. See omnystudio.com/listener for privacy information.
Pharmacy Compliance Guide Attestations & Certifications Every fall we hear the PBMs sending out requests for Attestations for Fraud, Waste and Abuse and HIPAA Compliance. Why do they all keep asking for the same information? When Medicare Part D came into play, the Pharmacy Benefit Managers were given the regulatory authority to manage the Medicare Part D program. Part of this program was ensuring pharmacies were properly training their staff. It initially started with annual: Fraud, Waste & Abuse Training, OIG Exclusion Verification, and HIPAA Compliance Training Then each fall, everyone had to attest they accomplished these requirement for Medicare Part D. Unfortunately, a lot of pharmacies and organizations signed off of the attestations and really didn’t do it. The attestation is a legal statement where the individual, the pharmacy owner and/or the pharmacist-in-charge was legally attesting they were accomplishing the training and had no documentation to support their claim. Legally this was a false claim under Medicare Part D and the PBM can and did recoup all Part D reimbursements from the pharmacy, which was devastating. The PBMs then added to their requirements over the years making them sticker and more over bearing. Most especially is the OIG Exclusion verification requirement. Only pharmacy in all of health care must accomplish this task every month. It started with just one database, the Office of Inspector General, then were added the General Services Administration (GSA) and the Systems for Award Management (SAM). The GSA and SAM have publicly merged into one, but as of today, we are still receiving a database from each of them. In addition, individual states are developing their own exclusion lists that must be checked. There is no standard for the lists. Some are managed by the health departments, others by the Attorney General or the Treasury Department. Jeff, let’s break these requirements down. What is involved with the Fraud, Waste and Abuse requirement besides the OIG Exclusion? Fraud, Waste and Abuse really is not hard to comply with. It is having established policies and procedures and training. However, when someone gets in trouble with the government with stealing money through claims or misleading patients, the Fraud, Waste and Abuse processes is where all of the federal penalties come from. There are ten (10) basic policies and procedures from Fraud Waste and Abuse Prevention, Anti-Kickback, Conflict of Interest, False Claims, Whistleblower Protection and General Compliance. When you look at these policies and procedures, they are mostly common sense. Bill for what you dispense and treat patients like they are your family. There are several methods of training. CMS has training modules and like all things created by the government and their lawyers it is complicated. To use these training modules, each employee logs into the CMS system, establishes a user name and password, then embarks on a one-hour on-line training session, with on-tests along the way. When the employee has the completed the training, he or she will have a CMS training certificate for Fraud, Waste and Abuse with General Compliance. There are several problems with this training: Who has the time and the computers to have each employee to spend one hour going through the training program? In the statute Title 42 C.F.R. 422.504(B)(4)(vi) and the Medicare Prescription Drug Benefit Manual, Chapter 9, you are to train on the pharmacy’s policies and procedures, which the CMS Module does not do meet There is no requirement for a test We covered the OIG/GSA/SAM verification above, however, most people have the opinion the OIG check is only for employees. This is not correct. The statutes specifically states: “Any individual or entity that has been convicted…” Jeff, I never heard this before, so what is an entity? The best definition I have been able to define is: a HIPAA Business Associate and any vendor you purchase a product from that you then dispense to a Medicare or Medicaid patient. It also includes: 1099 employees, part-time employees and contractors. So the question is are you verifying these entities? CVS/Caremark is checking this on their on-site inspections. So what is the HIPAA requirement? HIPAA has been around since 2003. We had a podcast earlier this year on HIPAA breaches and desk audits. If you haven’t listen to it. It is quite important. HIPAA requires all health care providers and Business Associates to have a HIPAA Privacy and Security policies and procedures. Annual training on these policies occurs on how HIPAA relates to your operations. Our listeners will primary need privacy training on interactions with their patients and their requests, handling Protected Health Information and most importantly what to do when a breach occurs. Jeff, I remember the podcast on HIPAA Breaches. That was one of the most informative podcasts we have had and if you don’t do anything when they occur will lead to millions in finds. So I understand there was a new requirement added this year to attestations. Yes, Cultural Awareness Training. This was originally part of the Affordable Care Act but it was struck down by the federal courts in November 2016. But Humana and CVS/Caremark brought it back to life. This is a training to ensure the pharmacy and the staff understand the culture of your patients and the language skills if they can’t speak English. My biggest concern with this added requirement for community independent pharmacies is we all live in our communities. We know our communities. If there are a second or third language in the neighborhood, we hire staff who speak these languages. We understand the local customs and cultures. Why would anyone offend your patients, who would then go to your competitor? That might make sense inside the Washington Beltway or an insurance company board room, but not in an independent pharmacy. Now let’s talk about Credentialing. What is it and why do we have to deal with it. Credentialing is simply the validation of the attestations. These normally start in late January. The PBMs want to see proof. These are mostly completed on-line or via fax. However, CVS/Caremark and OptumRx are doing follow-up on-side inspections. Each PBM has their own list of items to send in or provide the on-site auditor: Fraud, Waste and Abuse training certificate or Log I recommend only sending the Pharmacist in charge, not the entire staff HIPAA training certificate or log I recommend only sending the Pharmacist in charge, not the entire staff Specific pharmacy operational policies and procedures Pharmacy licenses Pharmacist-In-Charge License Other miscellaneous requests All in the effort to validate the attestation that was submitted in the fall were correct Does anyone look at these documents? Good question. There are 26,000 plus independent pharmacies submitting documentation. Just the volume of documents is huge. The server size to store the data year after year will be in the terabytes. But I do know they do a random checks. Are there any penalties? Yes, if you falsify an attestation, the pharmacy is in jeopardy of losing all Part D reimbursements for the period or year in question. Plus the pharmacy is in breach of contract and will be drop from the contract. It really can’t get much worse than that. OK, what was this NCPDP credentialing about in August? This has been on my radar. I met with NCPDP in 2016 about this project and then again at the NCPA convention in Orlando this year. NCPDP developed a platform to help pharmacies report one time, rather than multiple times each year. The concept is good. But there are challenges and concerns. First, the development was with chain pharmacies with no independent involvement. The reason was NCPDP had a massive test pool with the same organizations. It’s logical, but there are more independents than chain pharmacies. This program works with the PBMs but not with the PSAOs who still are requesting the same information. So it does reduce the amount of reporting. Now my major concern is NCPDP is sharing the information they are collecting with different organizations. They are updating your NPI information. OK, that is good. But they are also sending it to the National Supplier Clearinghouse. Here is the concern. If the data submitted to NCPDP differs from the CMS 855S Medicare Enrollment Application, NSC’s process is to deactivate the PTAN. If you catch it right away, the pharmacy can re-activate the PTAN with no issue. However, if the pharmacy does not catch it because they are not reconciling their reimbursements on a weekly basis and PTAN is deactivated for a period of time, the pharmacy must reactivate their PTAN from scratch. If the pharmacy had “Exempt” status, depending on the length of time, the pharmacy loses the exemption and they must start over with accreditation to continue to dispense DMEPOS products. I have seen this done already. It is as simple as changing your hours of operation, updating the NCPDP credentialing website and not updating your Medicare 855S and your PTAN is deactivated. This is a very costly error that no one thought about. Jeff, how can you prevent that from happening? Don’t let just anyone complete these attestations and credentialing documents. Complete them all the same way, every time. Keep copies so you are consistent. Always know what your CMS 855S Medicare Enrollment Application states. When a change is made on the NCPDP website, make the same change on the CMS 855S application. Is there anything else the pharmacies need to be aware of for Credentialing? Yes, one very important item. Continuous Quality Improvement Certificates are required for Medicare Part D. Every pharmacy is required to have a Continuous Quality Improvement (CQI) program. The CQI certificate is generated by an organization certifying the pharmacy has an active CQI program. This is normally through a Patient Safety Organization. We talked about a PSO on our last podcast with the Alliance for Patient Medication Safety. We can see the PBMs looking at the CQI certificates more closely in 2018. For my clients, make sure you continue with the PQC+ entries so you can pull the CQI certificates when these requests start in January and February. If you are not sure if you have a CQI program or how to get your CQI certificate, the process is not a week or two quick fix program. There are a number of items that are required to be completed. Check out our last podcast on Patent Safety. There are not a lot of organizations talking about these subjects, especially the CQI programs and certificates. I keep my podcast factually based, but on the Continuous Quality Improvement program, certificates and enrollment with a patient safety organization, this is part of our standard pharmacy compliance program that we offer. To my knowledge, no other consulting firm offers these services. Jeff, so wrapping up, on our conversation today, you always bring items to us that no one is talking about. See omnystudio.com/listener for privacy information.
Kevin Beaver has more than 28 years of experience in I.T., the last 22 years of which have been dedicated to computer and information security. Kevin is author or co-author of a dozen information security books including the best-selling Hacking For Dummies, Hacking Wireless Networks For Dummies and the Practical Guide to HIPAA Privacy and Security Compliance. As well as a prolific writer, Kevin is also creator and author of the Security On Wheels information security audio programs. In this episode Kevin talks about the need for non-technical skills and the importance of communication. Kevin also talks about how writing “Hacking For Dummies” has helped his career and why you should get yourself known for what you do. To find out more about this episode, visit the show notes page at www.itcareerenergizer.com/e23
Cyberattacks are happening in the health care industry at an alarming rate and some speculate that health care organizations will be the most targeted sector in 2017. As this trend continues to climb, the government has enacted regulatory changes around the HIPAA Privacy and Security Rule requirements. In this episode of The Cerner Podcast, Francois Bodhuin, IT director at Inspira Health Network, a nonprofit health care organization in South Jersey, shares the best practices on how organizations can improve the security of patient information.
What is HIPAA privacy anyway? The annual reporting deadline for little breaches is up at the end of Feb. That means all those little privacy violations in 2016 must be reported on the HHS website soon if you haven't already done it. Since those little ones often mean so much more than the big ones it made me think it would be a good time to talk about privacy. A recent bizarre case in an Atlanta suburb made me realize just how much we value our privacy but may not realize it until it has been taken from us. More at HelpMeWithHIPAA.com/91
We always look at the security rule aspects of HIPAA because they deal with the easier parts for people to deal with when it comes to lowering their risk, but today we are diving into some privacy rule guidelines, because there is new HIPAA privacy guidance that has just been published. Get more info at HelpMeWithHIPAA.com/55
In this episode... Andrew discusses a few of the key challenges making it difficult for the healthcare sector right now Robb, Andrew and Raf discuss the importance of identity in the corporate environment Robb and Andrew give some of their wisdom for the successes and failures of CISOs (and the broader security industry) We discuss the technical vs executive CISO approach (which is better?) Robb and Andrew provide some unfiltered advice for CISOs and those who want to become them Guests Robb Reck ( @RobbReck ) - Chief Information Security Officer at Ping Identity, contributor to ISSA Denver with a long history as a successful security executive and leader. Andrew Labbo - Drew is the CISO at Denver Health and Hospital Authority and is the owner and principal of RMHG, which offers HIPAA consulting and HIPAA advisory services. Drew has over 15 years’ experience with information security and technology and over 10 years’ experience as a Privacy and Data Security Officer. He is an expert on HIPAA Privacy and Security Rule regulations as well as HITECH and Omnibus regulatory updates. Drew’s recommendations are guided by his education in health administration and experience and leadership integrating privacy and security controls with health information technology infrastructure and applications, as well as treatment, payment, operations, and human subjects research workflows and processes.
Sonia Luna interviews Chief Ethics Officer at Health Net, Bruce Anderson, who has over 20 years of experience in compliance and healthcare. As many of you know, Health Net is one of the largest health care providers in the US and headquartered in California. Bruce directs Medicare, corporate compliance and ethics programs. He oversees initiatives related to compliance with federal laws, corporate compliance daily operations, and compliance training and education. Bruce holds a Master’s Degree from the University of Pennsylvania and several certifications in the healthcare field including HIPAA Privacy. Bruce is a Certified Compliance and Ethics Professional (CCEP).
Rebecca will provide a brief discussion of the general consideration of what "privacy" and "personal information" really are, in addition to important factors when making privacy risk assessment. She will also discuss some of her work and research in recent years involving medical devices, smart meters, geo location, and a wide host of other Internet of Things and Big Data scenarios. Long with this will be discussion of the need to be able to identify privacy risks that accompany the use of new and evolving technologies, and then determine the best controls to use to mitigate them. This is intended to be an interactive and thought provoking session. Rebecca will also a copy of her new book, "Data Privacy for the Smart Grid" (http://www.crcpress.com/product/isbn/9781466573376), published by CRC Press, to an attendee. About the speaker: Rebecca is widely recognized and respected and has been providing information privacy, security and compliance services, tools and products to organizations in a wide range of industries for over two decades. Rebecca has authored 16 published books, most recently "The Practical Guide to HIPAA Privacy and Security Compliance 2nd Edition" in October, 2014 and "Data Privacy for the Smart Grid" in January, 2015, both published by CRC Press. Rebecca is currently authoring the ISACA Privacy Program Management Guide which will be released during Q3 of 2015. Rebecca was one of the first practitioners to be responsible for both information security and privacy starting in 1996 in a multi-national insurance and financial organization that was establishing one of the first online banks. In June 2009, Rebecca was asked to lead the NIST SGIP Smart Grid Privacy Subgroup, where she also led the Privacy Impact Assessment (PIA) for the home to utility activity, the very first performed in the electric utilities industry. In 2015 Rebecca also was asked to work for NIST for their Privacy Engineering initiative. Rebecca is a co-owner for the SIMBUS Information Security and Privacy Services business, currently with the premier flagship HIPAA Compliance Tools and Vendor Tracker services (http://www.HIPAACompliance.org) for healthcare organizations and their business associates to meet their HIPAA, HITECH and other legal requirements. Rebecca has been an Adjunct Professor for the Norwich University Master of Science in Information Security & Assurance (MSISA) program since 2005. Rebecca currently serves on multiple advisory boards for security, privacy and high-tech technology organization. Rebecca is frequently interviewed and quoted in diverse broadcasts and publications such as IAPP Privacy Advisor, BNA Privacy & Security Law Report, Wired, Popular Science, Computerworld, IEEE's Security and Privacy Journal, and many others. In addition to achieving CISSP, CISM, CISA, and FLMI certifications, Rebecca is CIPP/US, CIPM and CIPT certified, is a member of the IAPP Certification Advisory Board, and is an instructor for the IAPP's CIPT, CIPM, CIPP/US and CIPP Foundations classes. Rebecca has received numerous awards and recognitions for her privacy and information security work over the years. Rebecca Herold, CIPM, CIPT, CIPP/US, CISSP, CISM, CISA, FLMIOwner & CEO, The Privacy Professor (http://www.privacyguidance.com & http://www.privacyprofessor.org)Co-Owner & CVO, SIMBUS Information Security and Privacy Services, HIPAA Compliance Tools (http://www.HIPAACompliance.org)Partner, Compliance Helper (http://www.compliancehelper.com)Adjunct Professor for the Norwich University Master of Science in Information Security and Assurance (MSISA) program (http://www3.norwich.edu/msia) Twitter ID: PrivacyProf (http://twitter.com/PrivacyProf)Linked In: https://www.linkedin.com/in/rebeccaherold
PHILIP L. GORDON is a shareholder in the Denver office of Littler Mendelson, P.C., the largest law firm practicing exclusively labor and employment law. Mr. Gordon chairs the Firm's Privacy and Data Protection Practice Group. He regularly counsels Fortune 500 companies, as well as medium-sized and small businesses, concerning compliance with recently enacted state data protection laws, the HIPAA Privacy and Security Rules and the European data protection laws; security incident response, background checks, workplace monitoring of employee communications, and other privacy and information security issues. In addition, he has substantial experience representing employers in trade secret, wrongful termination, and privacy-related litigation. Mr. Gordon has taught privacy and data security law as an adjunct professor at the University of Colorado School of Law. He is a member of the Editorial Board of the Privacy Officers Advisor, the monthly publication of the International Association of Privacy Professionals. Mr. Gordon lectures and publishes extensively on privacy and data protection issues. He is co-author of the book "HIPAA Privacy For Employers."
Guest: James Bream, JD Host: Larry Kaskel, MD Join Dr. Larry Kaskel and attorney Jim Bream of Querrey and Harrow as they banter back and forth over the HIPAA regulations. What they mean to you and how to implement them in your daily practice.