1-The

HIPAA

Security Rule protects:

verbal data

electronic

data

written data

All of the above

2-According to HIPAA,

PHI

does NOT include:

IP addresses

Patient’s past medical treatment information

Payments for  health care provision

Health information with the identifiers removed

3-Which of the following access control mechanisms used to prevent employees from copying a document labeled with high security to another document labeled with ‘public’?

Firewall

Zones

Encryption

Archive

4-It would be appropriate to release patient information to:

the patient’s (non-attending) physician brother

personnel from the hospital the patient transferred from 2 days ago, who is calling to check on the patient

the respiratory therapy personnel doing an ordered procedure

retired physician who is a friend of the family

5-Healthcare providers must ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI) that the covered entity creates, receives, maintains, or transmits under:

HIPAA

EHR

FCRA

FERPA

6-The mission of the law is to protect consumers’ personal financial information held by financial institutions

PCAOB

PHR

HIPAA

GLB

7-Which of the following statements about retention principles is true?

Organizations should keep business records as long as possible.

We only need to manage the records that are in use.

How long the records should be kept depends on  the legal requirements and business needs.

Due to the security consideration, organizations should retain records longer than required.

8-Red flag rule requires that financial institutions:

must implement a written Identity Theft prevention Program

must comply with

PCI

standards

notify the customer that they may be a victim of identity theft

All of the above

9-Restricting access to the IT Department office of a hospital would fall under which type of safeguard required by the Security Rule of HIPAA?

electronic

technical

physical

administrative

10-According to Omnibus Final Rule, which of the following statements are correct?

If one EMR software vendor needs access to PHI, it would need to complete a BAA.

Business associates does not include entity that  maintain PHI.

A BAA is required for the US Postal Service.

Cloud service providers for EMR storage and backup are not liable for compliance with the HIPAA privacy rule.

11-Which of the following is not part of the

PII

definition established by GAPP:

Address

Credit card number

Student ID

Medical information

12-This term refers to the security practice where no one has more access than is needed to do their job

Auditing

Least privilege

Authentication

CIA

Triangle

13-The law “to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to securities laws, and for other purposes.”

CIA
PCI

SOX

SEC

14-Being able to recover records after a disaster:

Effectiveness

Efficiency

Competency

Continuity

15-Law that requires a free credit report annually

FACTA

Red Flag Rule

FERPA
FCRA

16-Any list, description, or other grouping of consumers (and publicly available information pertaining to them) derived using any personally identifiable financial information that is not publicly available

PII

NPI

FTC

PIN

17-Which of the following is specific to the health care industry?

PII

Non-public financial information

Student academic record

PHI

18-The statutory requirement that public companies submit quarterly and annual reports is promulgated by which agency:

FBI

SEC
CIA

CICA

19-Disposition is not part of the records management lifecycle.

True.

False.

20-In the CIA Triangle, the letters  refer to what:

Confidentiality, Integrity, and Availability

Central Intelligence Agency

Confidentiality, Intrusion, and Availability

Cybersecurity In Action

IT 380

Electronic Document and

Record Management

Systems

Unit

2

: Fundamentals of EDRMS

Instructor: Dr. Michelle Liu

iPhone

Agenda

▪ Important terminologies, cont’d

▪ Documents vs.

records

▪ Information theft

▪ Mobile devices

▪ The evolution of ERMS

▪ Key concepts

2

iPhone

Functionality Requirements

3

▪ Policy and Rules
▪ Creating, maintaining, and enforcing information management policies,

whether a result of law and regulation, internal policy and process, or
business agreements

▪ Must operate across technology platforms and re

sources

▪ Examples include policies for retention, disposition, security, privacy,
use, and distribution.

▪ Content Management
▪ Creating, templating, capturing, storing, version managing, retaining,

archiving, disposing, collaborating, holding and preserving information

▪ Configuration Management
▪ Establishing ownership and custodial responsibilities and business

application dependencies

▪ Classification
▪ Classification of data, including the ability to distinguish between

business records and non-business information, classified and non-
classified in the government sense, personally identifiable information
(PII), and classifying information based on policy attributes

▪ Crawling (Gathering)
▪ Locating and gathering unstructured information scattered across the

information management environment

Functionality Requirements (Continued)

4

▪ Information Access and Discovery
▪ Indexing, searching, and discovery across resources

▪ Creation , Transfer and Copy Management
▪ Rules on the creation of information, copies to be maintained, transfer

of information, and de-duplication (single instancing)

▪ Security and Privacy
▪ Policies for identity management, information authentication, access

management, privacy control, use management and auditing

▪ For example, this functionality allows the user to determine the
authenticity of business records and to establish and maintain a policy
based relationship between users and data

▪ Analytics and Reporting
▪ Monitoring, alerting, and real-time reporting on key information

management events such as policy updates, configuration changes,
security anomalies, classification events, and “right-to-know” requests

▪ Compliance and Risk Mitigation
▪ Legal compliance and mitigation of risk resulting from inappropriate use

of the unstructured documents

Security of Electronic Documents

5

▪ Much of computer security also applies to
documents:
▪ Network defenses (firewalls, etc)

▪ Access control

▪ Encryption

▪ Journaling and logging

▪ Special techniques:
▪ Digital signatures

▪ Watermarking

▪ Digital Rights Management (DRM)

▪ Preservation

iPhone

iPhone

iPhone

Privacy of Electronic Documents

6

▪ Much of privacy same as other types of data
▪ Privacy policy

▪ Disclosure of personally identifiable information (PII)

▪ Internet access and availability

▪ Breach notification rules

▪ Global variations

▪ Document specific concerns

▪ Classification

▪ Collaboration

▪ Redaction

▪ Proliferation

▪ Source: “Commercial Data Privacy and Innovation in
the Internet Economy: a Dynamic Policy Framework” ,
Department of Commerce, December 2010

Known Problems

7

▪ Need for end-to-end solution
▪ From creation to disposal

▪ Lack of scalability

▪ Integration issues

▪ Escalating storage growth

▪ Inflexible policy management

▪ Inaccurate auto-classification engines

▪ Inadequate search capabilities

▪ Increasing regulatory compliance

▪ Increasing amounts of e-discovery

Electronic Document Management

Roadmap

8

▪ Basic principles and objectives

▪ Inventory of document assets (where are they)

▪ Converting existing paper records

▪ Managing distribution inside and outside the

organization

▪ A methodology to automate data classification

▪ Records management policies and procedures

▪ Educational materials (for communicating ‘the why’)

▪ Training materials (for transferring knowledge of ‘the

how’)

▪ Auditing and compliance parameters and metrics

▪ A lifecycle strategy/plan for continuous improvement

Making Priorities

9

▪ Get better understanding of the user’s

information flow needs

▪ Identifying the information flow disconnects and

resulting unintentional non-compliance with

regulatory, legislative, and corporate policies

▪ More effective management of cultural change

and better opportunity for project marketing

▪ Initial focus on education (the why) and save

training (the how) for later on in the process

Selecting Tools

10

▪ No single solution available from a vendor that will meet
all requirement
▪ All current single solutions will be overkill in some areas and

lacking in others.

▪ Integration of solutions, therefore, will be necessary
▪ Technologies and vendors that do not facilitate and “play

nice” with other solutions should be avoided

▪ Short-term solutions to fix critical business problems
may be necessary
▪ Cost of replacing the solution should be built into the

business case and budget

▪ Solutions can and should be different for different
departments/LOBs.

▪ The ability to effectively classify data in line with policy
must be included in every tool selected

Electronic Discovery

11

From edrm.net

References

▪ ISO

15

489

▪ MoReq2

▪ US DOD 5015.2

▪ Other relevant

sources

12

Definition of Record

▪ “Information created, received, and

maintained as evidence and information by

an organization or person, in pursuance of

legal obligations or in the transaction of

business.”

–Source: ISO 15489

13

Key Points of Record

▪ A record could, in principle, be in any form or

format we can think of, so long as it conveys

information.

▪ Records are not only created within

organizations but also received by them.

▪ The word “maintained” indicates that it is not

enough to ‘capture’ records. They have to

be stored, and managed properly once

stored.
▪ Include disposing of records when they are no

longer needed 14

Key Points of Record, Cont’d

▪ For a record to be good evidence (e.g., in a

court case), there must be no doubt that it is

complete and unchanged.
▪ Place requirements on ERM systems

▪ Records need to be kept for two reasons:
▪ Legal obligations

▪ Transaction of business

15

Records Management

16

▪ In the past, the term used to refer only to the management of

records which were no longer in everyday use but still needed to

be kept

▪ Today, refers to the entire ‘lifecycle’ of records – from the point of

creation right through until their eventual disposal

▪ The ISO 15489-1: 2001 standard (“ISO 15489-1:2001”) defines

records management as “[the] field of management responsible

for the efficient and systematic control of the creation, receipt,

maintenance, use and disposition of records, including the

processes for capturing and maintaining evidence of and

information about business activities and transactions in the

form of records“

▪ The ISO considers management of both physical and electronic

records

Question

▪ What is a document?

17

Definition of Document

18

Recorded information or object which can be

treated as a unit.

Source: ISO15489

Information set down in any physical form or

characteristic. A document may or may not meet

the definition of a record.

Source: DoD 5015.2

Document vs. Record

▪ The definition of “document” does not say

anything about whether, or how, the

documents are kept.

▪ The definition of “record” sets out strictly how

they must be managed.

▪ Some documents become records at some

time in their existence.
▪ Others don’t!

▪ Document can be changed by suitably-

authorized people
▪ By definition, document is not necessarily

controlled.
19

Changes to Documents not Records

20

▪ Documents can change BUT records do not

and MUST not change

▪ The record is a document or set of documents,

all relating to a specific matter that has

happened in the past
▪ A record of history

▪ A document could be a work in progress
▪ Subject to change and therefore not a record

automatically

▪ Documents do become records once they are

finalized

Worldwide Shift

▪ In today’s digital world, the distinction between

records and documents has become vague

▪ Any document can be considered a record and any

piece of its content can be extracted and used in a

context different from the original intention of the

document, making it a separate record

▪ The traditional view of records management as a

discipline has been changed
▪ Not restricted in library catalogue and archive

management any more

▪ How records are created and used in

organizations is also reshaped
213/5/2021

Worldwide Shift, cont’d

22

▪ In recent years there has been a worldwide shift
toward electronic transactions, in business and
government
▪ Internet
▪ Mobile applications
▪ BYOD

▪ People do not to have to be physically present at an
office location

▪ Organizations need to be able to access information
quickly, easily, and efficiently

▪ Paper files and folders have been used for years and
are an ingrained culture

▪ Need to be replaced by electronic document and
record management system

Archive

▪ Files that are selected for permanent or long-

term preservation due to enduring historical

value

▪ Area or media used for long-term storage

▪ Inactive or not as active but required to be

maintained for legal or operational reasons

23

Information Leaking

24

▪ Web-facing documents contain confidential data
▪ Internal server?

▪ Spiders?

▪ Multiple drafts before document is published
▪ History
▪ Properties

▪ Redaction

▪ Lost laptops with no access controls

▪ Storage media that do not show sensitive content

▪ Reuse of electronic media
▪ Deleted files?

▪ Credentials easy to forge
▪ Physical access

▪ Small hard drives and thumb drives that can be easily
hidden

Protection Against Information

Leakage

25

▪ Not always intentional

▪ Common problems:
▪ Not understanding the information conveyed in

metadata such as in a Word document

▪ Not employing robust encryption protection

▪ Inadequate monitoring of sensitive data and
filtering of data leaving a company

▪ Email

▪ IM

▪ FTP

▪ Inadequate erasure of magnetic media

▪ Delete not enough

Google Hacking

26

▪ Uses Google Search and other Google applications
to find confidential information in various places on
the Web

▪ Examples of sources:
▪ Naming Web tools on Web site: “Powered by:”
▪ Published paper in a professional journal
▪ Employment Ad. describing systems environment

including Web infrastructure
▪ Posting a newsgroup asking for technical advice on an

issue
▪ Blog posting
▪ Biography of researcher indicating areas of research

▪ Need to develop appropriate search patterns to find
the information

Need for Controls

27

▪ Controls result from a security policy put in place to
manage the problem

▪ If an organization does not have means to identify its
assets, cannot protect them from
▪ Unauthorized access

▪ Theft

▪ Compromise

▪ Based on principle of least privilege
▪ Only have access if needed by my job

▪ Organize into security zones to minimize disclosure
of sensitive information

▪ Label according to the zone in which it was created

Use of Zones

28

▪ Example:
▪ Public
▪ Internal
▪ Sensitive
▪ Confidential
▪ High security

▪ Cannot move a document created in one zone to a
zone of lesser security without some form of control
▪ Redaction

▪ Only public documents can be used on mobile
applications

▪ Security auditing software is used to check that
documents are labeled and in the appropriate zone
otherwise an alert is raised

Mobile Devices

29

▪ Increasingly mobile and digital society
▪ PDAs

▪ Laptops

▪ Cell phones

▪ Thumb drives

▪ CD/DVDs

▪ Mobile devices become easy target
▪ Small and easy to conceal

▪ Easy to resell device

▪ Information may be valuable for fraud or

blackmail activities

Losing Mobile Devices

30

▪ Nearly every type of organization has reported

a data breach because of a lost mobile devices
▪ Hospital

▪ University

▪ Financial services company/bank

▪ Government agencies

▪ Three preventative measures:
▪ User education: carelessness is major cause

▪ Tracking lost devices

▪ Protecting information

▪ “Bogus” data added

▪ Encryption

Implementing an Organization-

Wide System

31

▪ The vast majority of organizations have not
implemented an organization-wide system
▪ Some departments are more automated than others

▪ No central source of documents

▪ Much duplication

▪ Daunting prospect given that:
▪ Existing paper-based culture for review and approval

▪ Many historical records still on paper and no electronic
document available

▪ Three aspects:
▪ Technical

▪ Managerial

▪ Cultural change

Document Image Processing (DIP)

32

▪ Earliest systems beginning in 1980s

▪ Electronic equivalent of a filing cabinet

▪ Scanning

▪ Indexing

▪ Storage

▪ Retrieval

▪ Some systems also included elements of

workflow
▪ Routed scanned documents around the

organization for designated staff to process

Electronic Document Management

System (EDMS)

33

▪ Emerged in the 1990s

▪ Generally integrated with systems such as

Microsoft Office

▪ Allowed users to actively manage documents

▪ Documents stored in a document repository
▪ Check documents in and out

▪ Versioning used to track version control

▪ May also include DIP functionality
▪ Scanning

▪ Indexing

▪ Archiving

Electronic Record Management

System (ERMS)

34

▪ First started appearing in the 1990s

▪ Records management is the practice of maintaining
the records of an organization from the time they are
created up to their eventual disposal.
▪ Classifying

▪ Storing

▪ Securing

▪ Destruction or archival preservation

▪ A record can be either a tangible object or digital
information: for example, birth certificates, medical x-rays,
office documents, databases, application data, and e-mail

▪ Primarily concerned with the evidence of an organization’s
activities, and is usually applied according to the value of
the records rather than their physical format

Quiz 1 Terms

35

▪ Access control

▪ Analytics

▪ Authenticity

▪ Backup

▪ Classification

▪ Configuration management

▪ Controls

▪ Content management

▪ Crawling

▪ Data at rest

▪ Data integrity

▪ Digital signature

▪ Disposition

▪ Document management

▪ E-discovery

▪ EDMS

▪ Electronic document

▪ Encryption

▪ File management

▪ HIPAA

▪ Indexing

▪ Information redundancy

▪ Media stability

▪ Metadata

▪ Open government

▪ PII

▪ Preservation

▪ Privacy

▪ Records management

▪ Redaction

▪ Retention

▪ Risk mitigation

▪ Scanning

▪ Security

▪ System of record

▪ Transparency

▪ Unstructured data

▪ Vital records

IT

3

8

0

Electronic Document and

Record Management

Systems

Unit 3: ERMS Concepts, Challenges and

Principles

Instructor: Dr. Michelle Liu

Agenda

▪ Introduction to ERM

▪ What is an electronic record?

▪ Records lifecycle

▪ Characteristics of a record

▪ Issues, problems and principles of

electronic records management

▪ Why do electronic records present special

challenges? (Open Discussion)

2

Quick Recap
▪ What is retention schedule?

▪ What is the purpose of digital signature?

▪ What is vital record?

▪ Why metadata is important (in EDRMS)?

▪ What is e-discovery?

▪ What is Big Data?

▪ What is BYOD?

▪ Major functionalities of EDRMS?

3

Recap: Records Management

4

▪ “Field of management responsible for the

efficient and systematic control of the

creation, receipt, maintenance, use and

disposition of records, including processes

for capturing and maintaining evidence of

and information about business activities and

transactions in the form of records”.

▪ Source: ISO 15489

What is Records Management?

▪ Records management is one of management’s

responsibilities.

▪ “Systematic control” relates to the fact that the

records management discipline calls for records

to be stored in an organized, or systematic,

fashion.

▪ Records management addresses the entire

lifecycle of records.

▪ A critical part of records management is storing

records to make sure they remain accessible.

▪ It is important that records are disposed of as

soon as they no longer have to be kept. 5

What is Records Management?

(Continued)

▪ “…maintaining evidence”
▪ Records may be needed as evidence – whether in

response to a subpoena, to prosecute a litigation,

to demonstrate actions to a regulator, to prove

transactions to an auditor, or for other reasons.

▪ Records management requires that records are

secured against change and against unauthorized

deletion

▪ “Business activities and transactions” hint at the

formal definition of ‘record’.

6

Classification

7

Systematic identification and arrangement of

business activities, and/or records into categories,

according to logically structured conventions,

methods, and procedural rules represented in a

classification system

Source: ISO15489

Archive

▪ Files that are selected for permanent or long-

term preservation due to enduring historical

value

▪ Area or media used for long-term storage

▪ Inactive or not as active but required to be

maintained for legal or operational reasons

8

Preservation

9

Processes and operations involved in ensuring

the technical and intellectual survival of authentic

records through time.

Source: ISO15489

Just Another Day at the Office

10

With so many document technology

solutions available, why don’t our

organizations feel more productive?

11

Well, because we’re not!

12

Source: Harris Interactive Knowledge Worker Survey, 2015

How often do you perform the

following actions when working

with PDF?

13

Implementing an Organization-

Wide System

14

▪ The vast majority of organizations have not
implemented an organization-wide system
▪ Some departments are more automated than others

▪ No central source of documents

▪ Much duplication

▪ Daunting prospect given that:
▪ Existing paper-based culture for review and approval

▪ Many historical records still on paper and no electronic
document available

▪ Three aspects:
▪ Technical

▪ Managerial

▪ Cultural change

The Business Drivers for

ERM

15

ERM

Efficiency

Effectiveness

Continuity

Compliance

Compliance

16

▪ Laws;

▪ Regulations;

▪ Policies;

▪ Standards; and

▪ Best practice.

Effectiveness

17

▪ Not losing records

▪ Sharing records
▪ ERM systems allow several users to read a

record at once, whereas with paper records
only one person can.

▪ Finding records easily
▪ ERM systems typically offer a multitude of

ways to find specific records or
correspondence items

▪ Getting the complete picture

Effectiveness: Other Examples

▪ Higher evidential weight

▪ Faster information retrieval

▪ Office relocations
▪ Difference between moving hundreds of file

cabinets or moving a dozen CDs.

▪

24

hour, 7-day availability of information

18

Efficiency

19

▪ Accessing records quickly
▪ Records are held in a computer

▪ Well indexed

▪ Space savings

▪ Reduced handling costs

▪ Other examples:
▪ Archival costs

▪ Disposal of furniture

Continuity

20

▪ Being able to recover records after a
disaster

▪ Records are vulnerable to loss

▪ Businesses tend to fail if they lose their
records (or access to them).

▪ Electronic storage may speed recovery
from a disaster

▪ Backup

▪ Business continuity plan

The Importance of Records

▪ Virtually all newly-created records are

created electronically today – they are what

we call “born digital”

▪ Format:
▪ Letters

▪ Emails

▪ Faxes

▪ Web transactions

▪ Others…

21

The Importance of Records

▪ Very few new records are not electronic

▪ But many existing records are in a physical

format
▪ In an ERM project, it will often be essential to

take these physical records into account.

▪ The growth in the awareness of how

important record keeping can be.
▪ Failures of governance

▪ Increasing government requirements for

retention and disposition
22

Question about ERM

Is ERM

▪ The electronic management of

paper

records?

▪ The management of electronic

records?

23

Formats of Records

▪ Electronic:
▪ Web pages, e-mail messages, word processed

documents, presentations, spreadsheets,

diagrams, forms, databases, portable

documents, drawings, audio or video…

▪ Physical:
▪ Papers, microfilm and microfiche, audio and

video tapes, CDs and DVDs, and even ‘exotic’

or specialist records such as oil drilling cores.

24

The Records Lifecycle

▪ Based on the National Archives and Records

Administration (NARA)

▪ The records lifecycle comprises three primary

phases:
▪ Creation or receipt

▪ The process of formally receiving records and placing

them into the records control framework is called

capture and declaration.

▪ Maintenance and use

▪ Disposition

▪ Those of little value should not be retained any longer

than necessary.
25

Characteristics of an Authoritative

Record

▪ Authenticity – An authentic record can be proven to be
what it purports to be, created or sent by the person
purported to have created or sent it, and create or sent at
the time purported.

▪ Reliability – A reliable record can be trusted as a full and
accurate representation of the transactions, activities, or
fact to which it attests.

▪ Integrity – A complete and unaltered record is said to
possess integrity.

▪ Usability – A usable record can be located, retrieved,
presented, and interpreted.

26

~ISO 15489-1:2001

Fundamental Principles

▪ Records are created, received, and used in

the conduct of organizational activities

▪ Organizations should create and maintain

authentic, reliable, and usable records

▪ Based on Generally Accepted

Recordkeeping Principles® established by

ARMA International

27

The Principles: Your Sword & Shield

Access and usage principles

▪ Records should be accessible to

authorized users

▪ Users should be able to search for and

access records in usable formats

▪ Records should be organized to

support access and management

29

Retention principles

▪ Records must be managed through their

lifecycle.

▪ Records should be kept as long as required
▪ Legal requirements, and

▪ Business or operational needs.

▪ Retaining records longer than required may

increase organizational liability and the cost

of doing business

30

Disposition Principles

▪ Disposition is an accepted phase of the

records lifecycle
▪ Transfer/accession

▪ Destruction

▪ Records can, and should, be disposed of at

the end of their lifecycle

31

Information Systems and Records

Management Systems

▪ Information Systems
▪ No attention to the concept of a record (or)

▪ Record as an entry in a structured system

▪ Recordkeeping Systems
▪ Record as evidence

▪ Fixity

▪ Related to process, person, time (context)

IT 3

8

0

Electronic Document and

Record Management

Systems

Unit 4: Legislation, Standards,

Regulations and Policy

Instructor: Dr. Michelle Liu

Topics

▪ Implied and explicit regulatory requirements for

documents

▪ Privacy as part of other laws

▪ U.S security and privacy laws

▪ SOX

▪

HIPAA

▪ FCRA/FACTA

▪ GBL

▪ Government-specific regulations

2

Protections Modified

▪ 4th Amendment EXPANDED
▪ Person protected as well as place

▪ Katz v. U.S. (1

9

6

7

)

▪ Warrantless phone booth wiretap violated Fourth

Amendment

▪ “Reasonable assumption of privacy” test

▪ Did person exhibit personal expectation to privacy

▪ Does society recognize expectation as reasonable

▪ LIMITED
▪ Garbage placed at the curbside is public property

▪ California v. Greenwood,

19

88
3

Katz vs. United States

▪ FBI placed a recording device on the outside

of a telephone booth to record defendant

transmitting wagering information to Miami

and Boston

▪ Defendant appealed conviction, contending

recordings were obtained in violation of

Fourth Amendment

▪ COA rejected because no physical entrance

into phone booth

▪ The supreme court reversed defendant

conviction 4

Statutory Approach

▪ No systematic approach or basic concepts

▪ Solutions for specific problems
▪ Types of

records

▪ Kinds of

institutions

5

U.S. Security and Privacy Laws
▪ Freedom from disclosure
▪ Restrict public disclosure of private facts

▪ Freedom from theft
▪ Data security

▪ Freedom from seizure
▪ Law enforcement powers and limits

▪ Freedom from nuisance
▪ Intrusion on the seclusion of another

▪ May overlap

6

U.S. Privacy Laws up to 19

68

▪ Privacy of mail (

17

82 &

18

25

)

▪ Warrant required to open mail (1877)

▪ State laws against disclosure of telegrams (1880s)

▪ Privacy of census (1919) – regulations before

▪ Communications Act of 1934
▪ prohibited federal officials from disclosing info about

intercepted communications

▪ Omnibus Crime and Control Act of 1968 (Wiretap
Act)

7

Content and Metadata: Legal

Rules

▪ Katz v. United States, 1967

▪ Smith v. Maryland, 19

79

8

Attempts at Rational Policy

▪ Records, Computers and the Rights of Citizens
▪ US Department of Health, Education, and Welfare, 1973

▪ Personal Privacy in an Information Society
▪ US Privacy Protection Study Commission, 1977

▪ HEW Report
▪ Proposed set of “fair information practices”

▪ No secret databases

▪ Mechanism to find what in database and how used

▪ Prior approval to put info obtained for one purpose to

use for another purpose

▪ Mechanism to correct errors or amend record

▪ Organizations must ensure reliability of data for

intended use and take reasonable precautions to

prevent misuse

9

https://www.epic.org/privacy/hew1973report/

https://epic.org/privacy/ppsc1977report/

https://epic.org/privacy/19

74

act/

Privacy Commission

▪ Study areas
▪ Industry specific – credit, banks, insurance, medical,

investigative/reporting, education

▪ Issue specific – employment, medical care,
government access to private records, tax records,
research and statistical studies, social security
number, use of mailing list data

▪ Statute specific – Privacy Act of 1974

▪ 162 recommendations

3/6/

20

21 10

U.S. Laws in the 1970s

▪ Fair Credit Reporting Act of 1970

▪ Bank Secrecy Act of 1970

▪ Privacy Act of 1974
▪ Amended FOIA

▪ Regulates collection of information about individuals

▪ Prohibits unauthorized disclosure

▪ Gives individuals right to access & correct their records in federal
databases

▪ Family Educational Rights and Privacy Act of 1974

(FERPA)
▪ Federal law that protects the privacy of student education records

▪ Right to Financial Privacy Act of 1978

▪ Fair Debt Collection Practices Act – 1978

▪ Foreign Intelligence Surveillance Act of 1978
11

U.S. Laws in the 1980s

▪ Privacy Protection Act of 1980

▪ Cable Communications Policy Act of 1984
▪ Protects privacy of cable records, including viewing

habits, and limits collection

▪ Electronic Communications Privacy Act of

1986
▪ Extended Wiretap Act to computer-based data

▪ Stored vs. in transit distinction

▪ Employee Polygraph Protection Act of 1988
▪ Restricts use of polygraphs by private sector

▪ Video Privacy Protection Act of 1988
▪ Protects privacy of video tape rental & purchase records

12

Sarbanes-Oxley Act of 2002 (SOX)

▪ “To protect investors by improving the

accuracy and reliability of corporate

disclosures made pursuant to securities

laws, and for other purposes.”

▪ In response to financial scandals
▪ Enron, WorldCom, Tyco

▪ Arthur Andersen

▪ 11 sections with requirements procedures;
e.g.
▪ Companies evaluate and disclose the effectiveness of

their internal financial controls

▪ CEO & CFO certify accuracy of reports

▪ Fully independent audit committees and auditors

▪ Increased insider trade reporting
13

SOX Provisions
▪ Established Public Company Accounting

Oversight Board (PCAOB)

▪ Auditor Independence

▪ Corporate Responsibility

▪ Enhanced Financial Disclosures

▪ Analyze Conflicts of Interests

▪ SEC Resources and Authority

14

Penalties Under SOX

Failure to comply or

submission of an

inaccurate certification

Fine up to $1 million and

ten years in prison

A wrong certification

submitted purposely

Fine up to $5 million and

twenty years in prison.

Violate SEC regulations May be ineligible to hold a

director or officer position

in any publicly traded

company
History – 15

SOX

40

4: Viable Internal Controls

▪ Creation and maintenance of internal

controls
▪ Separation of duties

▪ Checks and balances

▪ Documentation of events

▪ Internal controls

▪ Internal controls include
▪ Policies

▪ Procedures

▪ Training programs

▪ Other processes (example: inventory control) 16

How does it relate to records

management?

▪ Record retention

▪ Copies of records

▪ Audit trail

17

SOX Section 404 & IT

▪ SOX internal controls
▪ Requires annual statement of the “effectiveness of

the company’s internal control structure and

procedures for financial reporting” and “must

disclose any material weakness”

▪ IT controls underlie other process controls – thus

section 404 requires good IT controls

18

19

20

Devices & Integration Proliferating

Quickly
▪ Mobile apps

▪ Medical monitoring devices

▪ Medical delivery devices

▪ Wirelessly-connected Internet of Things (IoT)

mobile med-devices
▪ Wearable fitness monitor

▪ Smart watch

▪ Smart clothing

▪ Assisted mobile device diagnosis

▪ Consumer health record repositories

▪ Health information exchanges
21

Institutions Become More

Complex

▪ Mergers of hospitals with other business

▪ Use cloud based business services

▪ Hospital chain expanding their scope
▪ Building large ambulatory practice groups

▪ Outsourcing radiology, ICU and dialysis

▪ Standing up health insurance companies

▪ Manage privacy

▪ Audit activity

▪ Manage reliability
22

What is the Big Deal?

▪ Street cost for a stolen record:
▪ Medical: $50 vs. SSN: $1

▪ Payout for identity theft
▪ Medical:$20,000 vs. Regular: $2,000

▪ Medical records can be exploited 4x

longer
▪ Credit cards can be cancelled; medical

records can’t ▪ Medical Records Abuse

consequences
▪ Prescription fraud

▪ Embarrassment

▪ Financial fraud

▪ Personal data resale

▪ Blackmail/extortion

▪ Medical claims fraud

▪ Job loss/reputational
23

RSA Report on Cybercrime and the Healthcare Industry

❑ Majority of clinical fraud:

❑ Obtain prescription narcotics for

illegitimate use

❑ Free health care

TAKE A CLOSER LOOK AT

HIPAA

24

Topics

▪ HIPAA

▪ Why do those laws and regulations exist?

▪ Who is covered?

▪ What is covered?

▪ What is required or prohibited?

▪ What happens if I don’t comply?

25

HIPAA Overview

▪ The Health Insurance Portability and

Accountability Act of 1996 (HIPAA)

addressed insurance portability, fraud and

administrative simplification

▪ This act is watershed legislation for the

healthcare industry

▪ It resulted in substantial investment in e-

health initiatives and deployment of security

technology in the healthcare industry

26

HIPAA Goals

▪ Improve portability and continuity of health

insurance coverage in the group market

▪ Combat waste, fraud and abuse in health

insurance and healthcare delivery

▪ Promote the use of medical savings

accounts (HSAs)

▪ Improve access to long term care services

and coverage

▪ Simplify healthcare administrative data

exchange
27

Protected Health

Information

▪ Healthcare providers must ensure the

confidentiality, integrity, and availability of

electronic protected health information (ePHI)

that the covered entity creates, receives,

maintains, or transmits

▪

Privacy Rule and Security

Rule

▪ The privacy rule regulates uses and disclosures of

PHI,* while the security rule regulates the creation,

receipt, maintenance, and transmission of electronic

PHI.

▪ All electronic PHI is PHI subject to the privacy rule.

But not all PHI is electronic PHI—PHI is the larger

category and electronic PHI is a subset.
28

Privacy Rule and

Security Rule

▪ Privacy Rule
▪ “Have in place appropriate administrative, technical,

and physical safeguards to protect the privacy of

protected health information.”*

▪ Applies to ALL PHI

▪ Need to know/Minimum necessary (to do jobs)

▪ Security Rule
▪ What policies/trainings/technologies are in place to

keep unauthorized people from seeing your data?

▪ Applies to Electronic PHI

▪ Does not apply to PHI on pieces of paper or to PHI

that is faxed over dedicated phone lines!
29

Omnibus Final Rule
▪ Took effect on September 23, 2013
▪ The biggest change to HIPAA in 15 years

▪ Makes business associates of covered entities directly

liable for compliance with certain aspects of the HIPAA

Privacy and Security Rules’ requirements*

▪ Covered entity: healthcare providers, health plans,

healthcare clearinghouses

▪ The term business associates refers to any entity that

provides supporting products or services that are related

to PHI
▪ Create, receive, maintain or transmit PHI

▪ Business Associate Agreement (BAA) are formalized and

legally-binding documents where these entities

acknowledge their responsibilities for maintaining privacy

and security standards as part of the provider’s service.
30

*Source: U.S. Department of Health and Human Services

31

Devices & Integration Proliferating
Quickly
▪ Mobile apps
▪ Medical monitoring devices
▪ Medical delivery devices
▪ Wirelessly-connected Internet of Things (IoT)
mobile med-devices
▪ Wearable fitness monitor
▪ Smart watch
▪ Smart clothing
▪ Assisted mobile device diagnosis
▪ Consumer health record repositories

▪ Health information exchanges
32

Institutions Become More
Complex
▪ Mergers of hospitals with other business
▪ Use cloud based business services
▪ Hospital chain expanding their scope
▪ Building large ambulatory practice groups
▪ Outsourcing radiology, ICU and dialysis
▪ Standing up health insurance companies
▪ Manage privacy
▪ Audit activity

▪ Manage reliability
33

• Laptop/notebook
• Tablet computers such

as iPads
• Mobile/Cellular phones
• Smartphones
• PDA

Limits on uses and disclosures

Individual privacy rights

Administrative requirements

The

Privacy

Rule

3/6/2021 34

• Laptop/notebook
• Tablet computers such
as iPads
• Mobile/Cellular phones
• Smartphones
• PDA

Technical safeguards

Administrative safeguards

Physical safeguards

⚫

The

Security

Rule

3/6/2021 35

Organizational

Policies, Procedures and Documentation

Privacy and Security

36

Privacy: Covered Information

▪ Protected Health Information (PHI) includes
patient identifiable data such as:
▪ Names, addresses, dates, phone numbers, email addresses,

SSN, license numbers, IP addresses, account numbers, etc.

▪ Any patient information created or received relating to past,
present, or future condition; provision of health care; past,
present, or future payments for health care provision

▪ De-identified health information is not
considered PHI

▪ Privacy Rule
▪ Disclose policies for use and disclosure of information

▪ Privacy compliance program, including staff training

37

Permitted Disclosures

▪ PHI can be released without prior

authorization for Treatment,

Payment, and Health Care

Operations.

▪ As a general rule, anything else

requires specific written authorization

from the patient.

38

Example from Random Audit

Review
▪ Random Audit reveals employees snooping

in Emergency Department records

▪ For Cause Audit reveals employee looking

up lab results for family member

▪ High Profile Audit reveals employees

snooping in accident victim’s records

39

Examples of PHI Breach
▪ Local church reports medical records

received due to misdialed fax number

▪ Patient notified of breach due to test results

being given to another patient

▪ Patients notified of breach when email sent

with incorrect attachment

▪ Privacy investigation reveals unauthorized

disclosure, results in termination of 35+ year

nurse.

40

41

Can you

spot the

breach?

How about ransomware?
▪ Ransomware incidents treated as data

breaches under HIPAA

▪ Ransomware attacks constitute breach

unless there is substantial evidence to

contrary (US DHHS OCR)
▪ Must initiate security incident response and

reporting procedures as called for by HIPAA

Security Rule

▪ Must also follow risk assessment requirements of

HIPAA Breach Notification Rule

42

HIPAA Criminal Penalties

▪ UCLA researcher notified of termination. In

retaliation he accessed the medical records of his

superior, co-workers and celebrities. He was

convicted and sentences to 4 years in jail.

▪ LPN from medical clinic access PHI of patient and

gave it to her husband to use in a legal

proceeding against the patient. Both the LPN and

her husband were indicted.

▪ Trinity Medical Center (Birmingham, AL)

employee indicted for stealing identifying

information of 4,000 patients for committing

identify theft. 43

Examples and Exceptions

▪ A hospital (covered entity) adopts an electronic medical

records (EMR) system.

▪ If the EMR software vendor (business associate) needs

access to PHI then it

would need to complete a BAA.

▪ If the hospital uses cloud-based services to store data

containing PHI then the cloud-based services provider

would need to complete a BAA.

▪ A BAA is not required for organizations, such as the US

Postal Service, certain private couriers and their

electronic equivalents that act merely as conduits for

protected health information

44

Additional Considerations
▪ Notices of Privacy Practices

▪ Breach Notification Requirements
▪ Patient(s) must be notified within

60

days;

▪ All breaches must be reported to the

Department of Health and Human Services

through the Office for Civil Rights

▪ Security Rule

Compliance

45

The HIPAA Security Rule

▪ Requires covered entities to:
▪ Ensure protection against any reasonably

anticipated threats or hazards to the security or

integrity of information

▪ Protect against reasonably anticipated uses and

disclosures

▪ Ensure compliance by workforce

▪ Review and modify security measures periodically

to continue reasonable and appropriate

protections

3/6/2021 46

The C-I-A Triad

▪ A widely used benchmark

for evaluation of information

systems security

▪ A system possessing all

three of these properties all

of the time is secure

▪ A system not possessing

one or more of these

properties at any time is not

secure

47

Three Pillars of HIPAA-HITECH

Compliance

48

Implementation Specifications

▪ Grouped into 5 Categories
▪ Administrative

▪ Physical

▪ Technical

▪ Organizational

▪ Policies, Procedures and

Documentation

▪ Identified as “Required” or “Addressable”
▪ Required

▪ Addressable – based on sound, documented
reasoning from risk analysis

49

Administrative Safeguards

▪ Designate an individual responsible for HIPAA

compliance for the organization

▪ Analyze security risks and implement policies

and procedures that prevent, detect, and

correct security issues

▪ Define sanctions for security violations

▪ Ensure members of the work force have access

to information appropriate for their jobs

▪ Implement termination procedures

▪ Implement procedures authorizing access
50

Administrative Safeguards (Cont.)

▪ Implement
▪ a security awareness and training program

▪ policies and procedures for reporting and

responding to security incidents and other

emergencies

▪ Periodically monitor adherence to security

policies and procedures, document results,

and make appropriate improvements

▪ Establish contracts between a covered entity

and business associates to ensure appropriate

safeguards are in place to protect

ePHI

51

Physical Safeguards

▪ Limit physical access to equipment and

locations that contain or use ePHI

▪ Specify workstation and work area roles

and assignments where workstations with

access to ePHI are located

▪ Specify how workstations permitting

access to ePHI are protected from

unauthorized use, including laptops, PDAs,

etc.

▪ Address the receipt and removal of

hardware and electronic media that contain

ePHI
52

Technical Safeguards
▪ Implement policies and procedures limiting

access to ePHI to persons or software

programs requiring the ePHI to do their jobs

▪ Install hardware, software, or manual

mechanisms to examine activity in systems

containing ePHI

▪ Ensure policies and procedures that protect

ePHI from being altered or destroyed

▪ Implement mechanisms to protect ePHI that is

being transmitted electronically from one

organization to another
53

Organizational Requirements

▪ Document that business associate

contracts or other arrangements comply

with the security measures when handling

ePHI

▪ Ensure that business associates have

plans that document appropriate

safeguards for ePHI

54

Policies, Procedures and

Documentation

▪ Implement reasonable and appropriate policies

and procedures to comply with the standards,

implementation specifications, and other

requirements of the security rule

▪ Ensure that written or electronic records of policies

and procedures implemented to comply with the

security rule be maintained for a period of six

years from the date of creation or the date when

last in effect

55

Enforcement: Amount of CMP –

45 CFR § 160.404

56

Don’t Forget Criminal Penalties

▪ Congress also establish criminal penalties for

certain actions…

▪ Up to $50,000 and one year in prison for certain

offenses such as knowingly obtaining PHI

▪ Up to $100,000 and up to five years in prison if

the offenses are committed under false pretenses

▪ Up to $250,000 and up to 10 years in prison if

the offenses are committed with the intent to sell,

transfer, or use protected health information for

commercial advantage, personal gain, or

malicious harm. 57

Sample Data Request

58

Sample Data Request

59

WHAT ARE FCRA AND GLBA?

60

FCRA/FACTA
▪ Fair Credit Reporting Act/Fair and Accurate

Credit Transactions Act of 2003

▪ FACTA added sections to the FCRA-15 USC

1681 et seq
▪ Help consumers fight the growing crime of

identify theft

▪ Prescreen opt-out notice

▪ 16 CFR 642

61

https://www.ecfr.gov/cgi-bin/text-idx?SID=4af7d7a4e7ba5f31805aab8519dae57d&mc=true&node=pt16.1.642&rgn=div5

Major FACTA Provisions

▪ Free report – annualcreditreport.com

▪ Prescreen opt-out notice

▪ Disclose credit scores to mortgage applicants

▪ Credit report fraud alert

▪ ID Theft database

▪ Sets a new standard for what the law calls
“employee misconduct investigations.“ (no
permission required from employees)

▪ Secure disposal of consumer information

▪ Red Flag rules (ruling by FTC)
62

Red Flag Rules: Why?

▪ Growing identify theft

▪ To detect and stop identity thieves from using

someone else’s identifying information to

commit fraud

▪ To address identity theft problems

▪ Identify and address problematic information

▪ Enforcing agencies

▪ Payment Card Industry (PCI) standards

63

What is the Red Flags Rule Regulation?

▪ The red flag fall into five categories:
▪ Alerts, notifications, or warnings from a

consumer reporting agency

▪ Suspicious documents

▪ Suspicious personally identifying

information (i.e., suspicious address)

▪ Unusual use relating to a covered

account

▪ Notices from customers, victims of

identity theft, law enforcement

authorities, or other businesses about

possible identify theft in connection with

covered accounts
64

https://www.ftc.gov/tips-advice/business-center/privacy-and-security/red-flags-rule

Who Must Comply with the Red

Flags Rule?

▪ Financial institutions and creditors with covered

accounts must implement a written Identity

Theft Prevention Program to detect, prevent,

and mitigate identity theft in connection with:

▪ the opening of a covered account, or

▪ any existing covered account

▪ Program must be appropriate to the size and

complexity of entity and nature and scope of

activities

65

Red Flags Rule Requirement

▪ Financial institution- a state or national bank, a

state or federal savings and loan association, a

mutual savings bank, a state or federal credit

union, or any other person that, directly or

indirectly, holds a transaction account belonging to

a consumer.

▪ Creditor – organizations that regularly defer

payment for goods or services or provide goods or

services and bill customers later.

66

Enforcement of Red Flags Rule

Compliance Deadline
▪ Anyone with “covered accounts”

must be compliant as of June 1,

2010.

Audits
▪ The FTC can conduct

investigations to determine if a

business has taken appropriate

steps to develop and implement a

written Program, as required by the

Rule. If a violation occurs, the FTC

can bring an enforcement action. 67

Red Flags Rule and Existing Security

Program

68

Red Flag Rule Elements

▪ Must include reasonable policies and

procedures to:

▪ Identify relevant Red Flags and incorporate them into

the Program

▪ Detect Red Flags by setting up procedures to detect

those red flags in your day-to-day operations

▪ Respond appropriately to any Red Flags that are

detected

▪ Ensure the Program is updated periodically to address

changing risks

69

Gramm-Leach-Bliley Act (GLBA)

▪ Passed in 1999

▪ To protect consumers’ personal financial

information held by financial institutions
▪ Non-Public Personal Information (NPI)

▪ Broad definition of FIs (Financial Institutions)

▪ Authority given to eight federal agencies and to

states

▪ For FIs but good model for others

Source: https://www.ftc.gov/tips-advice/business-center/privacy-and-

security/gramm-leach-bliley-act
70

https://www.ftc.gov/tips-advice/business-center/privacy-and-security/gramm-leach-bliley-act

Nonpublic Personal Financial

Information

▪ Personally identifiable financial information

about an individual;

▪ Any list, description, or other grouping of

consumers (and publicly available information

pertaining to them) derived using any personally

identifiable financial information that is not

publicly available

▪ Income information, credit history, and premium

payment history

71

PII Definition – Generally Accepted

Privacy principles (GAPP)

▪ Previously known as the AICPA/CICA Privacy
Framework

▪ Privacy definition

▪ PII: Information related to identified or
identifiable individual
▪ Name, Address, Telephone, SS # or Other

Government ID Numbers

▪ Employer, Employment History

▪ Credit Card Numbers, Credit History, Purchase
History

▪ Personal or Family Financial or Medical
Information

72

Usual State PII Definition

▪ First and last name OR last name and first
initial – plus
▪ Social Security Number OR

▪ Drivers’ License Number OR

▪ State Identification Number OR

▪ Debit or Credit Card Number OR

▪ Financial Account Number OR

▪ Medical Information OR

▪ Health Insurance Information

▪ Most state notification laws: PIN(Private
Industry Notification) or access code in
combination with account numbers in
definition 73

GLB Overall Requirements

▪ Administrative, technical, and physical

protections

▪ Ensure confidentiality and security

▪ Protect against anticipated threats or hazards

▪ Protect against unauthorized access

▪ Comprehensive written information security

program

74

GLB – Privacy Rule

▪ Governs the collection and disclosure of

customers’ personal financial information by

financial institutions

▪ Also applies to companies, whether or not

they are financial institutions, who receive

such information

75

GLB – Safeguards Rule

▪ Requires all financial institutions to design,

implement, and maintain safeguards to protect

customer information.

▪ Applies to
▪ financial institutions that collect information from their

own customers,

▪ financial institutions such as credit reporting agencies

that receive customer information from other financial

institutions

76

Safeguards Rule Objectives

▪ Ensure the security and confidentiality of

customer records and information – in paper,

electronic or other form

▪ Protect against any anticipated threats or

hazards to the security or integrity of such

records

▪ Protect against unauthorized access to or use

of any records or information which could

result in substantial harm or inconvenience to

any customer
77

Security Program

▪ Comprehensive process oriented approach
▪ Identify assets

▪ Conduct periodic risk assessments

▪ Develop and implement program that addresses

specific requirements

▪ Monitor and test program

▪ Continually review and adjust

▪ Oversee third party provider arrangements and

practices

▪ Check relevant external standards
78

Compliance and IT Risk Management

Challenges

79

Terms for Quiz 2 (Unit 2, 3 and 4)
▪ Archive

▪ Bill of Rights

▪ Business Drivers for ERM

▪ CIA

▪ Classification

▪ Disposition principles

▪ Document

▪ EDRMS

▪ EHR

▪ FACTA

▪ FCRA

▪ FERPA

▪ GAPP

▪ GLB

▪ HIPAA

▪ Least Privilege

▪ Nonpublic Personal Financial

Information

▪ PCAOB

▪ PCI

▪ PHI

▪ PHR

▪ PII

▪ Preservation

▪ Records

▪ Records lifecycle

▪ Records Management

▪ Retention principles

▪ SEC

▪ SOX

▪ Zones
3/6/2021 80