Assessing when a Vendor’s Security Incident Is a Breach
4:15pm - 5:15pmTuesday, February 12
Orlando - Orange County Convention Center
OCR reported third-party vendors to be the cause of, on average, 15 percent of all large breaches of protected health information (PHI). But data shows that these incidents are more likely to impact a disproportionate number of individuals as they often involve information systems handling large volumes of PHI belonging to a number of HIPAA covered entities. In this session, a former OCR regulator and an experienced healthcare CISO will evaluate how to look beneath the surface when a third-party vendor experiences a security incident and provide best practices of how to survive such an incident. They will share their experiences in evaluating and assessing vendor security incidents to determine the extent of information needed to assess the risk of data compromise. The speakers will guide participants on how to apply HIPAA lens, as well as other health information privacy rules, to determine what is a reportable breach, who must be notified by whom, and when it must be reported.
Define how covered entities can determine if a reportable breach occurred with a business associate, and outline the roles privacy, compliance, security, in-house counsel and outside consultants and advisers should play
Identify the questions that covered entities need to ask their business associates to determine the root cause of a security incident, assess the extent of information needed to determine the risk of data compromise and analyze how to view the vendor’s self-assessment
Interpret these questions through scenarios by applying HIPAA lens but also the patchwork of state health information privacy rules, for a complete picture on what is a reportable breach, who must be notified by whom and when it must be reported