Hello, everyone. It's Chris Stevens. I want you to be able to see my smiling face and my big bowl here because some people have compared me to a chocolate Shrek, one of my favorite characters, and so I wear that as a badge of honor. But I'm Chris Stevens. I'm the privacy gremlin. I'm also the InfoSec Institute's instructor for its information privacy essentials for cybersecurity professionals learning path. In this course, we're going to focus on those US healthcare privacy-related laws and privacy compliance guidance. This is one of the topics that are near and dear to my heart. If you've ever had the opportunity to review the annual IBM and pony mind Institute global report that looks at the cost of a data breach, the exotic companies across the globe and it breaks down for us trends and looks at different types of data because data is valued differently by cyber adversaries and cyber criminals. When you look at that, you'll see that the healthcare industry has heavily targeted the cause of the value of healthcare data, primarily defined under the Health Insurance Portability and Accountability Act of 1996 as amended. We focus on protected health information and electronic protected health information as it applies to those covered entities and business associates that help to comply with HIPAA and its amendments. It's one of the reasons that compel me to go out and get the American Health Information Management Association certified in healthcare privacy and security certification, as well as the healthcare compliance associations, compliance and healthcare privacy compliance because of the focus on helping this industry safeguards itself. If you've been reviewing articles and discussions over the last several years, you can see that healthcare itself is being targeted heavily for ransomware attacks and other types of attacks. I spend a lot of time on the US Department of Health and Human Services website, primarily looking at the Office of Civil Rights, which just enforcement arm for HIPAA in its related on laws and regulations. It gives me insight to those trends and how HHS is viewing compliance from a HIPAA perspective. I also go to the Office of the Inspector General's website there at HHS because it also provides me with good insights [inaudible] best practices from a covered entity or from a business associate perspective. What are we going to talk about? We're going to have an introduction to US healthcare privacy. We're going to talk about HIPAA is important, the Health Insurance Portability and Accountability Act of 1996. We'll talk about a law that's personal to me, the Genetic Information Nondiscrimination Act of 2008, that amends HIPAA. We'll talk about the all important Health Information Technology for Economic and Clinical Health Act of 2009 that significantly amends HIPAA. We'll talk about the HIPAA Omnibus Final Rule of 2013 that makes a lot of the amendments made under GINA, under HITECH, breach the enforcement rule, the Breach Notification Rule permanent. Then we'll have a brief discussion on healthcare privacy compliance because it's really important. Again, when we talk about HIPAA, when Congress enacted HIPAA initially, it did sell them through the efficiency of the delivery of healthcare to employees, but what it realized very quickly was that these covered entities themselves processed a lot of information that pertained to patients that put them at risk. What it required was it directed HHS to promulgate two rules, a privacy rule that really provided guidance on the privacy aspects of protecting PHI, Protected Health Information in any format, and then later, the security rule because again, we were transitioning from a paper-based way of submitting requests for reimbursement for services provided to patients to a electronic environment. In 2003, later admitted in 2005, the HHS promulgated the security rule. It was the Genetic Information Nondiscrimination Act amends HIPAA by requiring that if you are a healthcare plan and insurer an employee of trade unions, that again, you couldn't discriminate against individuals because they might be predisposed toward genetic illness or disorder, but it has not yet manifested itself. It's personal to me because both of my parents booked out of cancer at an early age. As an employer, perspective employee, or perspective healthcare insurer and GINA only applies these protections to healthcare insurance, not life insurance and other types of insurance. But a perspective healthcare insurer, an employee for opportunities for training and employment, for group health insurance policies, I could be discriminated against or offered substandard policies because of the perception that just because my parents contracted and died of cancer, that I too could contract it. I've never shown any signs and symptoms, but that's the importance of GINA. HITECH is extremely important, the Health Information Technology for Economic and Clinical Health Act. HIPAA had many shortcomings as it was enacted in 1996. Primarily it focused on what we would define as covered entities. Now if you remember our discussions about the GDPR, we used terms like data controller, data processor when we talked about some of the ISO, ISC to privacy framework, we used terms like PII controller, PII processor. But when we were talking about the controller, we said that that's the decision-maker. It determines how protected health information was going to be processed and handled, and so the law came down heavy on those covered entities. It didn't really apply to business associates. The only way a covered entity could drive compliance is by using contractual vehicles to obligate them to maintain the confidentiality of PHI and also to have the security protections in place to protect it. HIPAA lays out balances to the playing field, and we're going to talk about that in greater detail, some of the significant ways in which HITECH omitted HIPAA. It's the Omnibus Final Rule of 2013 that really was when HHS looked at all the changes that had occurred to HIPAA since 1996 and decided to make them permanent. We're looking at modifications, HITECH amendments, GINA amendments, amendments to the Breach Notification Rule, breach to the enforcement rule. They were made permanent under this Omnibus rule. Then we're going to talk about privacy compliance, program management as it applies to healthcare. Really what we're going to talk about is applicable to any industry, but for that discussion we're going to focus on just healthcare. As always, it's my pleasure to be your instructor, hope you, your family members and significant others are safe and well during these trying times on this wonderful planet of ours. As always, it's my pleasure to be your instructor and I look forward to talking to you as we look at other aspects of US healthcare privacy. Thank you and have a wonderful day.
