Copyright Notice · 2014. 8. 12. · 1. Define and understand basic HIPAA-HITECH relevant terms and...

8/12/2014

1

© Clearwater Compliance LLC | All Rights Reserved

Copyright Notice

1

Copyright Notice. All materials contained within this document are

protected by United States copyright law and may not be

reproduced, distributed, transmitted, displayed, published, or

broadcast without the prior, express written permission of Clearwater

Compliance LLC. You may not alter or remove any copyright or

other notice from copies of this content.

For reprint permission and information, please direct your inquiry to

[email protected]


Legal Disclaimer

2

Legal Disclaimer. This information does not constitute legal advice and is for

educational purposes only. This information is based on current federal law and

subject to change based on changes in federal law or subsequent interpretative

guidance. Since this information is based on federal law, it must be modified to

reflect state law where that state law is more stringent than the federal law or other

state law exceptions apply. This information is intended to be a general information

resource regarding the matters covered, and may not be tailored to your specific

circumstance. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONS AND

ADVICE PROVIDED HEREIN IN CONSULTATION WITH YOUR LEGAL OR

OTHER ADVISOR, AS APPROPRIATE. The existence of a link or organizational

reference in any of the following materials should not be assumed as an

endorsement by Clearwater Compliance LLC.

mailto:[email protected]

8/12/2014

2

© Clearwater Compliance LLC | All Rights Reserved 3

Welcome to today’s Live Event… we will begin shortly… Please feel free to use “Chat” or “Q&A” to tell us any ‘burning’ questions you may have in advance…


Some Ground Rules

4

1. Slide materials A.Check “Chat” or “Question” area on GoToWebinar

Control panel to copy/paste link and download materials

2. Questions in “Question Area” on GTW Control Panel

3. In case of technical issues, check “Chat Area”

4. All Attendees are in Listen Only Mode

5. Please complete Exit Survey, when you leave session

6. Recorded version and final slides within 48 hours

8/12/2014

3


How to Meet HIPAA-HITECH Encryption Requirements & Beyond

WEBINAR

August 12, 2014

Stephen Treglia, JD Legal Counsel, Recovery Section Absolute Software Corporation (877) 600-2293 [email protected]

Bob Chaput, CISSP, HCISPP,CIPP-US CEO & Founder Clearwater Compliance LLC 615-656-4299 or 800-704-3394 [email protected]


About HIPAA-HITECH Compliance

1. We are not practicing law!

2. The Omnibus has arrived!

3. Lots of different interpretations!

So there!

6

http://www.linkedin.com/pub/stephen-treglia/19/300/224


http://www.linkedin.com/in/BobChaput


8/12/2014

4


• Legal Counsel, Absolute’s Investigations & Recovery Section 2010 – present

• Prosecutor in New York 1980-2010

• Investigated/prosecuted Organized Crime 1985-1995

• Used computers, seized computers

• Started investigating/prosecuting computer crime 1996

• Created one of first Technology Crime Units 1997, headed it to 2010

• Started investigating/prosecuting Absolute cases in 2006

Stephen Treglia, JD


Bob Chaput MA, CISSP, HCISPP, CIPP/US

8

• CEO – Clearwater Compliance LLC • 35+ years in Business, Operations and Technology • 25+ years in Healthcare • Executive | Educator |Entrepreneur • Global Executive: GE, JNJ, HWAY • Responsible for largest healthcare datasets in world • Numerous Technical Certifications (MCSE, MCSA, etc) • Expertise and Focus: Healthcare, Financial Services, Retail, Legal

• Member: IAPP, ISC2, ISACA, HIMSS, ISSA, HCCA, HCAA, ACHE, AHIMA, NTC, ACP, SIM Chambers, Boards


http://hipaasecurityassessment.com/


8/12/2014

5


Session Objectives 1. Define and understand basic HIPAA-

HITECH relevant terms and concepts

2. Review the specific requirements of

HIPAA and HITECH for encryption

3. Provide practical, actionable next steps

to take to meet HIPAA-HITECH

encryption requirements

4. Address Why Encryption is Not

Enough! 9


1. Secure Your PHI Avoid the “Wall

of Shame” …Get Started Now

Answer Page!

2. Technology solutions are an

important part, but only part of a

balanced Security Program

4. Encryption is likely not enough;

consider additional safeguards

3. Large or Small: Consider Getting

Help (Tools, Experts, etc)

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

Policy!defines!an!organiza- on’s!values!&!expected!behaviors;!establishes!“good!faith”!intent!

People!must!include!

talented!privacy!&!security!&!technical!staff,!engaged!and!suppor- ve!

management!and!trained/aware!colleagues!

following!PnPs.!!

Procedures!or!processes!–!documented!F!provide!the!ac- ons!required!to!deliver!on!organiza- on’s!values.!

Safeguards11includes!the!various!families!of!administra- ve,!physical!or!

technical!security!controls!

Balanced Compliance

Program

Balanced1Compliance1Program1

Clearwater1Compliance1Compass™133






following!PnPs.!!




Balanced Compliance

Program



8/12/2014

6


Oops! Missed That Safe Harbor Thingy!

11

AvMed, Inc. FL 1,220,000 12/10/2009 Theft Laptop

Cincinnati Children's Hospital Medical Center OH 60,998 3/27/2010 Theft Laptop

Praxair Healthcare Services, Inc. CT 54,165 2/18/2010 Theft Laptop

Thomas Jefferson University Hospitals, Inc. PA 21,000 6/14/2010 Theft Laptop

Aultman Hospital OH 13,867 6/7/2010 Theft Laptop

Department of Health Care Policy & Financing CO 105,470 5/17/2010 Theft Desktop Computer

Montefiore Medical Center NY 23,753 6/9/2010 Theft Desktop Computer

St. Joseph Heritage Healthcare CA 22,012 3/6/2010 Theft Desktop Computer

University of Oklahoma-Tulsa, Neurology ClinicOK 19,264 7/25/2010 Hacking/IT Incident Desktop Computer

Montefiore Medical Center NY 16,820 5/22/2010 Theft Desktop Computer

Geisinger Wyoming Valley Medical Center PA 2,928 11/6/2010 Unauthorized Access/DisclosureE-mail

The Children's Medical Center of Dayton OH 1,001 4/22/2010 Unauthorized Access/DisclosureE-mail

Sinai Hospital of Baltimore, Inc. MD 937 5/3/2010 Unauthorized Access/DisclosureE-mail

Reliant Rehabilitation Hospital North Houston TX 763 2/9/2010 Unauthorized Access/DisclosureE-mail

Blue Cross Blue Shield of Tennessee TN 1,023,209 10/2/2009 Theft Hard Drives

Providence Hospital MI 83,945 2/4/2010 Loss Hard Drives

Puerto Rico Department of Health PR 400,000 9/21/2010 Unauthorized Access/Disclosure, Hacking/IT IncidentNetwork Server

Triple-S Salud, Inc. PR 398,000 9/9/2010 Theft Network Server

Seacoast Radiology, PA NH 231,400 11/12/2010 Hacking/IT Incident Network Server

Ankle & foot Center of Tampa Bay, Inc. FL 156,000 11/10/2010 Hacking/IT Incident Network Server

Silicon Valley Eyecare Optometry and Contact LensesCA 40,000 4/2/2010 Theft Network Server

3,895,532


Session Objectives

12

1. Define and understand basic HIPAA-








Enough!

8/12/2014

7


Key Terms & Concepts 1. Protected Health Information (PHI)

2. electronic PHI (ePHI)

3. Secured PHI

4. Unsecured PHI

5. Data Breach

6. Encryption

7. Destruction

8. Safe Harbor

9. Security Essentials

10. Required versus Addressable


Protected Health Information

• Protected Health Information (PHI) is any information about health status, provision of health care, or payment for health care that can be linked to a specific individual.

14

• PHI is interpreted rather broadly and includes any part of a patient’s medical record or payment history

• …and, that is linked to personal (18) identifiers

8/12/2014

8


Data Breach • A breach is, generally, an

impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual.


Don’t Panic!

Event

16

Incident

Breach

?

?

8/12/2014

9


Unsecured PHI

• Unsecured PHI is PHI that has NOT been rendered unusable, unreadable, or indecipherable

• CEs and BAs must only provide the required notification if the breach involved unsecured protected health information.

17


Encryption Encryption means the use

of an algorithmic

process to transform

data into a form in

which there is a low

probability of assigning

meaning without use of

a confidential process

or key.1

145 C.F.R. § 164.304 Definitions

8/12/2014

10


Safe Harbor “This guidance is intended to describe

the technologies and methodologies that

can be used to render PHI unusable,

unreadable, or indecipherable to

unauthorized individuals.

While covered entities and business

associates are not required to follow the

guidance, the specified technologies and

methodologies, if used, create the

functional equivalent of a safe harbor,

and thus, result in covered entities and

business associates not being required

to provide the notification otherwise

required by section 13402 in the event of

a breach.”1

19

1 DEPARTMENT OF HEALTH AND HUMAN SERVICES 45 CFR Parts 160 and 164 Guidance Specifying the Technologies and Methodologies That Render Protected Health

Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals for Purposes of the Breach Notification Requirements Under Section 13402 of Title XIII (Health

Information Technology for Economic and Clinical Health Act) of the American Recovery and Reinvestment Act of 2009; Request for Information


Session Objectives

20









Enough!

8/12/2014

11


Security Rule & Encryption

Privacy Rule Reasonable

Safeguards for all PHI

Physical Safeguards for EPHI

Technical

Safeguards

for EPHI

Administrative Safeguards for EPHI

• Security Management Process • Security Officer • Workforce Security • Information Access Mgmt • Security Training • Security Incident Process • Contingency Plan • Evaluation • Business Associate Contracts

• Access Control • Audit Control • Integrity • Person or Entity Authentication • Transmission Security

• Facility Access Control • Workstation Use • Workstation Security • Device & Media Control

21

HIPAA ACTUALLY

SAYS LITTLE ABOUT

ENCRYPTION!

HIPAA ACTUALLY

SAYS LITTLE ABOUT

ENCRYPTION!

22 Security Standards


45 C.F.R. §164.312(a)(1)

Standard: Access Control. (i) Implement technical policies and procedures for electronic

information systems that maintain electronic protected health

information to allow access only to those persons or software

programs that have been granted access rights as specified in

Sec.164.308(a)(4).

…

(2) Implementation specifications: (iv) Encryption and Decryption. (Addressable). Implement a

mechanism to encrypt and decrypt electronic protected health

information.

22

Access Control (think Data at Rest)

8/12/2014

12


45 C.F.R. §164.312(e)(1)

Standard: Transmission Security. (i) Transmission Security -Section 164.312(e)(1) - Implement

technical security measures to guard against unauthorized

access to electronic protected health information that is being

transmitted over an electronic communications network.

(2) Implementation specifications: (ii) Encryption (Addressable). Implement a mechanism to

encrypt electronic protected health information whenever

deemed appropriate.

23

Transmission Security (think Data in Motion)


The Security Rule Required vs. Addressable1

(i) Assess whether each implementation specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting the entity’s electronic protected health information; and

(ii) As applicable to the entity—

(A) Implement the implementation specification if reasonable and appropriate; or

(B) If implementing the implementation specification is not reasonable and appropriate—

(1) Document why it would not be reasonable and appropriate to implement the implementation specification; and

(2) Implement an equivalent alternative measure if reasonable and appropriate.

24

ADDRESSABLE

≠ OPTIONAL

145 CFR 164.306(d)(3)

8/12/2014

13


MU Stage 2 Requirements Objective: Protect electronic health information created

or maintained by the Certified EHR Technology through the

implementation of appropriate technical capabilities

Measure: Conduct or review a security risk analysis in

accordance with the requirements under 45 CFR

164.308(a)(1), including addressing the

encryption/security of data at rest in accordance with

requirements under 45 CFR 164.312(a)(2)(iv) and 45

CFR 164.306(d)(3), and implement security updates as

necessary and correct identified security deficiencies as

part of the provider's risk management process.


The HITECH Act

THREE absolute “game changers”:

1) More Enforcement

2) Bigger fines

3) Wider Net Cast

26

8/12/2014

14


HIPAA Rules Fall short… HITECH Addressed

• No definition of Secured or

Unsecured PHI in HIPAA!

• The HITECH Act Secretary

of Health and Human

Services must issue guidance

27

• Securing PHI as defined in the new guidance is important

because secured PHI is not subject to the breach

notification requirements of the HITECH Act.


Encryption Definition 45 CFR 164.304 Definitions

• Encryption means the use of an algorithmic process to

transform data into a form in which there is a low

probability of assigning meaning without use of a

confidential process or key.

28

8/12/2014

15


HHS / OCR Guidance1

• Two methodologies to secure PHI by making it

unusable, unreadable or indecipherable to

unauthorized persons:

• Encryption

• Destruction

• May be used to secure data in four commonly

recognized data states:

1. data in motion

2. data at rest

3. data in use

4. data disposed

29

1 DEPARTMENT OF HEALTH AND HUMAN SERVICES 45 CFR Parts 160 and 164 Guidance Specifying the Technologies and Methodologies That Render

Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals for Purposes of the Breach Notification Requirements Under

Section 13402 of Title XIII (Health Information Technology for Economic and Clinical Health Act) of the American Recovery and Reinvestment Act of 2009;

Request for Information


Encryption Guidance Based on HHS/OCR Guidance1…

• Valid encryption processes for data at

rest are consistent with NIST Special

Publication 800-111, Guide to Storage

Encryption Technologies for End User

Devices.

30

• Valid encryption processes for data in motion are those

which comply, as appropriate, with: • NIST SP800-52, Guidelines for the Selection and Use of Transport Layer

Security (TLS) Implementations;

• NIST SP800-77, Guide to IPsec VPNs;

• NIST SP800-113, Guide to SSL VPNs,

• or others Federal Information Processing Standards (FIPS) 140-2 validated.

1http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brguidance.html

http://abouthipaa.com/wp-content/uploads/Guidance-Specifying-the-Technologies-and-Methodologies-That-Render-Protected-Health-Information-Unusable-Unreadable-or-Indecipherable-to-Unauthorized-Individualshitechrfi1.pdf











http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brguidance.html



http://abouthipaa.com/wp-content/uploads/SP800-111-Guide-to-Storage-Encryption-Technologies-for-End-User-Devices.pdf






http://abouthipaa.com/wp-content/uploads/SP800-52-Guidelines-for-the-Selection-and-Use-of-Transport-Layer-Security-TLS-Implementations.pdf





http://abouthipaa.com/wp-content/uploads/SP800-77-Guide-to-IPsec-VPNs.pdf




http://abouthipaa.com/wp-content/uploads/SP800-113-Guide-to-SSL-VPNs.pdf




http://abouthipaa.com/wp-content/uploads/FIPS-140-2-FIPS-PUB-140-2-SECURITY-REQUIREMENTS-FOR-CRYPTOGRAPHIC.pdf









8/12/2014

16


Destruction Guidance

• Must shred or destroy paper,

film or other media

• Electronic media cleared,

purged or destroyed

consistent with NIST SP 800-

88, Guidelines for Media

Sanitization

31


2012 OCR Audit Protocol

32

Audit Procedures

1. Inquire of management as to whether an encryption mechanism is in place to protect ePHI.

2. Obtain and review formal or informal policies and procedures and evaluate the content relative to the specified criteria to determine that encryption standards exist to protect ePHI. Based on the complexity of the entity, elements to consider include but are not limited to:

a. Type(s) of encryption used. b. How encryption keys are protected. c. Access to modify or create keys is restricted to appropriate

personnel. d. How keys are managed.

3. If the covered entity has chosen not to fully implement this specification, the entity must have documentation on where they have chosen not to fully implement this specification and their rationale for doing so. Evaluate this documentation if applicable.

http://abouthipaa.com/wp-content/uploads/NIST-SP800-88-Guidelines-for-Media-Sanitization_with-errata.pdf





8/12/2014

17


Policy defines an

organization’s values & expected behaviors; establishes “good faith” intent

People must include

talented privacy & security & technical staff, engaged and supportive

management and trained/aware colleagues

following PnPs.

Procedures or

processes – documented - provide the actions required to deliver on organization’s values.

Safeguards includes the various families of administrative, physical or

technical security controls (including “guards, guns, and gates”,

encryption, firewalls, anti-malware, intrusion detection, incident

management tools, etc.)

Balanced

Compliance

Program

Balanced Compliance Program

Clearwater Compliance Compass™ 33


Session Objectives

34





3. Provide practical, actionable next

steps to take to meet HIPAA-HITECH



Enough!

8/12/2014

18


Next Actions to Meet Requirements

1. Get Educated on Encryption

2. Determine Regulations that Apply to You

3. Include ALL “ePHI homes”

4. Decide If Encryption is Enough

5. Establish Selection Criteria

6. Identify Alternatives for Secure PHI

35

7. Test Top Alternatives Don’t Create Bricks!

8. Ensure Fit Into an Overall HIPAA Compliance Plan

9. Put BAs and Subcontractors on Notice

10. Seek Help, If Needed


Session Objectives

36









Enough!

8/12/2014

19


Is Encryption Enough?

37


Graphical representation of state laws

• NM, SD, Kentucky, Alabama lack statutes

• Darker colors – tougher laws

• Virginia considered toughest because of highest penalties

• California started this with law passed in 2002, effective 2003

• Generally applies to government agencies and businesses

• Some States also cover healthcare

8/12/2014

20


What even constitutes a breach requiring notification?

• Again, varies State by State

• Typically, the release of a name and some other identifier

• Address, SSN, account number

• Some States have a harm requirement; some don’t

• Some require a minimum # breached before notification required

• Some make encryption a safe harbor; some don’t


But does encryption always = “Safe Harbor”? • Those who claim encryption is a safe harbor to

HIPAA regulation should read 74 Federal Register 79 – issued 4/27/09

• Guidance Specifying the Technologies and Methodologies That Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals

• At page 19009 – “(a) Electronic PHI has been encrypted as specified in the HIPAA Security Rule by ‘the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key’ and such confidential process or key that might enable decryption has not been breached.”

8/12/2014

21


New York General Business Law § 899-aa Prior statute:

• "Personal identifying information" means personal information consisting of any information in combination with any one or more of the following data elements, when either the personal information or the data element is not encrypted, or encrypted with an encryption key that is included in the same record as the encrypted personal information or data element:

Current statute:

• "Private information" shall mean personal information consisting of any information in combination with any one or more of the following data elements, when either the personal information or the data element is not encrypted, or encrypted with an encryption key that has also been acquired:


Several States do allow encryption to be a safe harbor

Arizona 44-7501A

• 44-7501. Notification of breach of security system; enforcement; civil penalty; preemption; exceptions; definitions

A. When a person that conducts business in this state and that owns or licenses unencrypted computerized data that includes personal information becomes aware of an incident of unauthorized acquisition and access to unencrypted or unredacted computerized data that includes an individual's personal information, the person shall conduct a reasonable investigation to promptly determine if there has been a breach of the security system. If the investigation results in a determination that there has been a breach in the security system, the person shall notify the individuals affected.

8/12/2014

22


What does all this volatility mean to you?

• Causes the most problems for multi-state entities

• How do compliance officers respond?

• They comply with “highest-denominator”

• Means they comply with the toughest State statues to play it safe

• If in compliance with the toughest

• They’re in compliance with the rest

• Why is staying compliant important?


Consider More Robust Technology

44

8/12/2014

23


Many Services/Many Solutions/Even Unique Ones

• Computrace/Lojack for Laptops/Patented Persistence – Unique to the industry

• Many devices/one solution – Also unique

• Recovery staff of 43 ex-law enforcement officers/over 1000 years experience – Also unique

• Encrypted devices/Encryption Reports

• Device Freeze/Data Delete

• Geo-fencing/Data Loss Prevention

• Forensic/Investigative Services

• Can tell what data is and isn’t seen/Report generated

45


Compliance is important way beyond HIPAA penalties & fines

• Think as an ambulance-chasing attorney for a moment

• Each listing of a breached healthcare system is > 500 identities

• Generally, breached identity is valued at a minimum of $1000

• Class action lawsuit just waiting to happen

46

8/12/2014

24


Shooting fish in a barrel

Shooting sitting ducks (from a blind that’s not all that blind)

Apropos analogies?


A $4.9 BILLION Lawsuit

• U.S. Dept. of Defense defendant for theft of computer tape from car driven by employee of the subcontractor of one of its Business Associates

• Records of 4.9 million members of military on the tape

• $1000 per victim = $4.9 billion

• Business Associate also a defendant, but not the subcontractor (sue the entities with the biggest pockets)

8/12/2014

25


Accretive Share Price & Story

49

July 2011 - Accretive

employee’s laptop computer,

containing 20 million pieces

of information on 23,000

patients, was stolen from

the passenger compartment

of the employee’s car

7/31/2012

$2.5M MN SAG

Settlement

1/19/2012 MN

SAG Suit 12/31/2013

FTC Settle.

6/13/2013

Class

Action Suit

03/14/2014

De-Listed

NYSE

4/2/2013

CEO

Replaced

8/26/2013

CFO

Replaced

9/27/2013

$14M Class

Settlement

01/2014

170 Job

Cuts

4/13/2013

COO

Replaced


I’m sure you’ve heard…

• Although not a healthcare breach

• Important security lesson to be

learned

• Target HAD the bells & whistles in

place to avoid the breach!!!

• Either no one was listening or they

were listening & ignored

• What if they had the bells & whistles

and they had been turned off either

intentionally or unintentionally?

• This is what Absolute can prevent

8/12/2014

26


Problem getting VERY serious in healthcare

• According to this article

• 90% of healthcare organizations

have reported at least 1 data

breach in the past 2 years

• More than 1/3 have reported

MORE THAN FIVE!!!

• The URL for this story is:

http://www.healthcareitnews.com/ne

ws/HIPAA-breach-response-tips-

experts?topic=18,30


1. Secure Your PHI Avoid the “Wall

of Shame” …Get Started Now

Summary

2. Technology solutions are an

important part, but only part of a

balanced Security Program

3. Large or Small: Consider Getting

Help (Tools, Experts, etc)






following!PnPs.!!




Balanced Compliance

Program








following!PnPs.!!




Balanced Compliance

Program



http://www.healthcareitnews.com/news/HIPAA-breach-response-tips-experts?topic=18,30










8/12/2014

27


Resources Risk Analysis Buyer’s Guide: http://abouthipaa.com/about-hipaa/hipaa-risk-analysis-resources/hipaa-risk-analysis-buyers-

guide-checklist/

Encryption & Risk Analysis Information:

http://abouthipaa.com/about-hipaa/hipaa-hitech-resources/


Educational Opportunities

54

http://abouthipaa.com/about-hipaa/hipaa-risk-analysis-resources/hipaa-risk-analysis-buyers-guide-checklist/





























8/12/2014

28


55

Clearwater Information Risk Management BootCamp™ Events

Take Your HIPAA Privacy

and Security Program to

a Better Place, Faster …

Earn CPE Credits!

2014-15 Plans – Virtual, Web-Based Events (3, 3-hr sessions): • November 5-12-19 • February 5-12-19, 2015 • May 7-14-21, 2015

2014-15 Plans - Live, In-Person Events (9-hours): • October 16 - Los Angeles • December 4 – Tampa • January 22 – Dallas • April 30 – New Orleans


Clearwater is Now an ISC2 Official Training Provider

56

Join Us in Nashville: 8/18-20

http://www.clearwatercompliance.com/bootcamp

http://clearwatercompliance.com/bootcamps/

http://clearwatercompliance.com/wp-content/uploads/2014/03/Clearwater-Why-You-Need-HCISPPs.pdf

mailto:http://clearwatercompliance.com/wp-content/uploads/2014/03/Clearwater-HCISPP-Exam-Outline.pdf

http://clearwatercompliance.com/wp-content/uploads/2014/03/Clearwater-HCISPP-brochure.pdf

http://clearwatercompliance.com/shop/isc2-training-seminars/



8/12/2014

29


Register For Upcoming Live HIPAA-HITECH Webinars at:

http://clearwatercompliance.com/live-educational-webinars/

57

Resources

View pre-recorded Webinars like this one at:

http://clearwatercompliance.com/on-demand-webinars/


58

Today’s Speakers

Stephen Treglia, JD Legal Counsel, Recovery Section Absolute Software Corporation (877) 600-2293 [email protected]

Bob Chaput, MA, CISSP, HCISPP, CIPP-US CEO & Founder Clearwater Compliance LLC 615-656-4299 or 800-704-3394 [email protected]













http://www.linkedin.com/pub/stephen-treglia/19/300/224




8/12/2014

30


Date post:	11-Oct-2020
Category:	Documents
Upload:	others
View:	0 times
Download:	0 times

Copyright Notice · 2014. 8. 12. · 1. Define and understand basic HIPAA-HITECH relevant terms and...

Documents