AGENDA: PRECONFERENCE
MONDAY, MARCH 4, 2019
(Separate registration required; Choose one)
7:00 a.m.
Registration Open
PRECONFERENCE I: BASIC TRAINING FOR HEALTH CARE PRIVACY PROFESSIONALS
8:00 a.m.
HIPAA Privacy Basics
Adam Greene, JD, MPH
Partner and Co-chair, Health Information and HIPAA Practice, Davis Wright Tremaine LLP; HIPAA Summit Distinguished Service Award Winner; Former Senior Health Information, Technology and Privacy Specialist, Office for Civil Rights, US Department of Health and Human Services, Washington, DC
Partner and Co-chair, Health Information and HIPAA Practice, Davis Wright Tremaine LLP; HIPAA Summit Distinguished Service Award Winner; Former Senior Health Information, Technology and Privacy Specialist, Office for Civil Rights, US Department of Health and Human Services, Washington, DC
Adam Greene is a partner in the Washington, D.C. office of Davis Wright Tremaine and co-chair of its Health Information Group. Adam primarily counsels health care providers, technology companies, and financial institutions on compliance with health information privacy, security, and breach notification rules. Previously, Adam was a regulator at the U.S. Department of Health and Human Services, where he played a fundamental role in administering and enforcing the HIPAA rules. At HHS, Adam was responsible for determining how HIPAA rules apply to new and emerging health information technologies and was instrumental in the development of the current HIPAA enforcement process. Adam has been recognized as one of the top ten influencers in health information security, one of the top 50 healthcare IT experts, and is a frequent speaker and author on health information privacy and security issues.
8:45 a.m.
HIPAA Breach Notification Rule and HIPAA Enforcement Rule
Iliana Peters, JD, LLM
Shareholder, Polsinelli; Former Acting Deputy Director, Health Information Privacy, Office for Civil Rights, US Department of Health and Human Services, Washington, DC
Shareholder, Polsinelli; Former Acting Deputy Director, Health Information Privacy, Office for Civil Rights, US Department of Health and Human Services, Washington, DC
liana L. Peters is a shareholder for Polsinelli, PC. For more than twelve years, she both developed health information privacy and security policy, including on emerging technologies and cyber threats, for the Department of Health and Human Services, and enforced HIPAA regulations, as both the Senior Advisor for HIPAA Enforcement for over six years, and as Acting Deputy Director for HIPAA. As a CISSP, Iliana works hard to bridge the gap between legal requirements for the security of health data and security industry best practices, so that clients can better understand data security issues and jargon. She is excited to bring her extensive experience drafting, implementing, and enforcing health privacy and security regulations and guidance to a practice that focuses on helping clients develop and implement good data privacy and security practices to avoid risk, and helping clients prepare for and recover from emerging cyber threats.
9:30 a.m.
HIPAA Security Basics
John C. Parmigiani
President, John C. Parmigiani and Associates, LLC; HIPAA Summit Distinguished Service Award Winner; Former Director of Enterprise Standards, HCFA (now CMS) Ellicott City, MD
President, John C. Parmigiani and Associates, LLC; HIPAA Summit Distinguished Service Award Winner; Former Director of Enterprise Standards, HCFA (now CMS) Ellicott City, MD
John Parmigiani is President of John C Parmigiani & Associates, LLC. His current primary focus is on helping healthcare organizations become compliant with healthcare regulations, in particular, HIPAA and the HITECH revisions, and move toward e-health. His work in these areas has ranged from performing compliance and risk assessments to designing systems and serving as an expert witness in Privacy violation cases. He has over 40 years’ experience in information systems management in both the public and private sectors. He chaired a government-wide team that developed the Security Rule and the electronic signature standard and served as a member of the federal committee that oversaw the development of the Privacy Rule and a number of HIPAA transactions and code sets. After his retirement from federal service, he was an executive in a number of consultancies that worked with national clients on the adoption and implementation of HIPAA-compliant requirements, before starting his own consultancy.
10:15 a.m.
Break
10:30 a.m.
How to Achieve the Right Balance of Data Privacy and IT Security
Pamela Hrubey, DrPH, CIPP-US, CCEP
Global Privacy and Data Protection Practice Leader and Managing Director, Crowe LLP; Former Chief Privacy Officer and Senior Ethics and Compliance Officer, Global Shared Services, Eli Lilly and Company, Indianapolis, IN
Global Privacy and Data Protection Practice Leader and Managing Director, Crowe LLP; Former Chief Privacy Officer and Senior Ethics and Compliance Officer, Global Shared Services, Eli Lilly and Company, Indianapolis, IN
Pam Hrubey is a managing director in Crowe’s Risk practice. She leads Crowe’s ethics and compliance-related solutions, focusing primarily on privacy and data protection-related matters by assisting clients with developing, implementing, and assessing effective privacy and data protection-related strategies across the global enterprise. Pam also works with senior-most leaders in organizations to develop and maintain an understanding of the strategic implications of privacy and data protection as it regards protecting the organization’s brand. Prior to joining Crowe, Pam worked for an Indianapolis-based pharmaceutical company in a number of leadership positions in risk management, privacy and data protection, ethics and compliance, and clinical development. Pam’s leadership experiences enable her to support her clients’ efforts to strategically design and implement sustainable privacy and data protection programs leveraging a risk-based approach. Pam is a certified corporate compliance and ethics professional and a certified information privacy professional.
11:15 a.m.
Faculty Discussion and Q&A
12:00 p.m.
Adjournment; Lunch on Your Own
PRECONFERENCE II: PROFESSIONAL CERTIFICATION PRECONFERENCE: CERTIFIED CYBER SECURITY ARCHITECT (CCSASM) PROFESSIONAL CERTIFICATION TRAINING
8:00 a.m.
Introduction and Overview
Uday O. Ali Pabrai, MSEE, CISSP
Chief Executive and Co-founder, ecfirst (Home of HIPAA Academy), Irvine, CA
Chief Executive and Co-founder, ecfirst (Home of HIPAA Academy), Irvine, CA
Ali Pabrai is the CEO of ecfirst. A highly sought after information security and regulatory compliance expert, he has successfully delivered solutions on compliance and information security to organizations worldwide. Mr. Pabrai has presented opening keynote and other sessions at several conferences, including ISACA, ISSA, FBI InfraGard, HIMSS, HCFA, HIPAA Summit, Microsoft Tech Forum, NASEBA Healthcare Congress (Middle East), Kingdom Healthcare (Saudia Arabia), Internet World, DCI Expo, Comdex, Net Secure, Nurse Practitioners Conference, National Council for Prescription Drug Programs (NCPDP), National Council for State Board of Nursing IT Conference, and many others.
8:30 a.m.
Security Incident Management
9:00 a.m.
Vulnerability Assessment and Pen Tests
9:45 a.m.
Cyber Security Policies
10:00 a.m.
Break
10:30 a.m.
Establishing a Cyber Security Program
11:00 a.m.
Faculty Q&A
11:30 a.m.
CCSASM Exam
12:00 p.m.
Adjournment; Lunch on Your Own
OPENING PLENARY SESSION — HIPAA PRIVACY
1:00 p.m.
Introduction, Overview and Annual Health Care Privacy Update, including GDPR and New California Law
Adam Greene, JD, MPH
Partner and Co-chair, Health Information and HIPAA Practice, Davis Wright Tremaine LLP; HIPAA Summit Distinguished Service Award Winner; Former Senior Health Information, Technology and Privacy Specialist, Office for Civil Rights, US Department of Health and Human Services, Washington, DC (Co-Chair)
Partner and Co-chair, Health Information and HIPAA Practice, Davis Wright Tremaine LLP; HIPAA Summit Distinguished Service Award Winner; Former Senior Health Information, Technology and Privacy Specialist, Office for Civil Rights, US Department of Health and Human Services, Washington, DC (Co-Chair)
Adam Greene is a partner in the Washington, D.C. office of Davis Wright Tremaine and co-chair of its Health Information Group. Adam primarily counsels health care providers, technology companies, and financial institutions on compliance with health information privacy, security, and breach notification rules. Previously, Adam was a regulator at the U.S. Department of Health and Human Services, where he played a fundamental role in administering and enforcing the HIPAA rules. At HHS, Adam was responsible for determining how HIPAA rules apply to new and emerging health information technologies and was instrumental in the development of the current HIPAA enforcement process. Adam has been recognized as one of the top ten influencers in health information security, one of the top 50 healthcare IT experts, and is a frequent speaker and author on health information privacy and security issues.
1:30 p.m.
OCR HIPAA Policy Update
Roger Severino, JD
Director, Office for Civil Rights, US Department of Health and Human Services; Former Director, DeVos Center for Religion and Civil Society, Institute for Family, Community and Opportunity, Heritage Foundation; Former Trial Attorney, Civil Rights Division, US Department of Justice, Washington, DC
Director, Office for Civil Rights, US Department of Health and Human Services; Former Director, DeVos Center for Religion and Civil Society, Institute for Family, Community and Opportunity, Heritage Foundation; Former Trial Attorney, Civil Rights Division, US Department of Justice, Washington, DC
Roger Severino is the Director of the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS), where he leads the agency’s work to enforce federal civil rights laws, conscience and religious freedom laws, the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules, and the Patient Safety Act and Rule, which together protect your fundamental rights of nondiscrimination, conscience, religious freedom, and health information privacy. Prior to joining the Department, Mr. Severino served as the Director of the DeVos Center for Religion and Civil Society in the Institute for Family, Community, and Opportunity at The Heritage Foundation. Before joining Heritage in 2015, Mr. Severino was a trial attorney for seven years in the Department of Justice’s Civil Rights Division.
Adam Greene, JD, MPH
Partner and Co-chair, Health Information and HIPAA Practice, Davis Wright Tremaine LLP; HIPAA Summit Distinguished Service Award Winner; Former Senior Health Information, Technology and Privacy Specialist, Office for Civil Rights, US Department of Health and Human Services, Washington, DC (Moderator)
Partner and Co-chair, Health Information and HIPAA Practice, Davis Wright Tremaine LLP; HIPAA Summit Distinguished Service Award Winner; Former Senior Health Information, Technology and Privacy Specialist, Office for Civil Rights, US Department of Health and Human Services, Washington, DC (Moderator)
Adam Greene is a partner in the Washington, D.C. office of Davis Wright Tremaine and co-chair of its Health Information Group. Adam primarily counsels health care providers, technology companies, and financial institutions on compliance with health information privacy, security, and breach notification rules. Previously, Adam was a regulator at the U.S. Department of Health and Human Services, where he played a fundamental role in administering and enforcing the HIPAA rules. At HHS, Adam was responsible for determining how HIPAA rules apply to new and emerging health information technologies and was instrumental in the development of the current HIPAA enforcement process. Adam has been recognized as one of the top ten influencers in health information security, one of the top 50 healthcare IT experts, and is a frequent speaker and author on health information privacy and security issues.
2:15 p.m.
OCR HIPAA Compliance and Enforcement Update
Serena Mosley-Day, JD
Acting Senior Advisor for HIPAA Compliance and Enforcement, Office for Civil Rights, US Department of Health and Human Services; Former Assistant Regional Counsel, Social Security Administration, Atlanta, GA
Acting Senior Advisor for HIPAA Compliance and Enforcement, Office for Civil Rights, US Department of Health and Human Services; Former Assistant Regional Counsel, Social Security Administration, Atlanta, GA
Serena Mosley-Day is the Senior Advisor for HIPAA Compliance and Enforcement, Office for Civil Rights (OCR), the U.S. Department of Health and Human Services (HHS). In this role Serena is the national lead for OCR enforcement of the HIPAA Rules, and works closely with OCR’s regional offices to promote compliance with and enforcement of the HIPAA Rules, including through negotiated resolution agreements. Serena has been with HHS OCR since December 2013. Prior to serving as Senior Advisor, Serena was the Deputy Regional Manager, Southeast Region of HHS OCR. Before joining HHS OCR, Serena was an attorney at the Social Security Administration and a supervisory attorney for the U.S. Department of Education, Office for Civil Rights. Serena is a graduate of the United States Air Force Academy.
2:45 p.m.
FTC Privacy Enforcement Update
Cora Han, JD
Senior Attorney, Division of Privacy and Identity Protection, Federal Trade Commission, Washington, DC
Senior Attorney, Division of Privacy and Identity Protection, Federal Trade Commission, Washington, DC
Cora Han is a senior attorney in the Federal Trade Commission’s Division of Privacy and Identity Protection where she investigates and prosecutes violations of federal laws protecting the privacy and security of consumer information, and works on related policy matters. She has played a leading role on health privacy matters for the FTC, including organizing the FTC’s seminar on Consumer Generated and Controlled Health Data, and developing business guidance for mobile health app developers. Prior to joining the FTC, Cora was an attorney with WilmerHale, where her practice focused on trademark, copyright, and media law.
3:15 p.m.
Break
3:45 p.m.
Update on 42 CFR Part 2, the Privacy Rule that Governs Substance Use Disorder Treatment Records
Mitchell Berger, MPH
Office of Policy, Planning and Innovation, Substance Abuse and Mental Health Services Administration (SAMHSA), Rockville, MD
Office of Policy, Planning and Innovation, Substance Abuse and Mental Health Services Administration (SAMHSA), Rockville, MD
Mitchell Berger serves as a Public Health Advisor for the Substance Abuse and Mental Health Services Administration (SAMHSA), Office of the Assistant Secretary for Mental Health and Substance Use (OAS), where he contributes to the agency’s work on such topics as mental health and substance use disorder integration, regulation review, human immunodeficiency virus, Block Grants and health disparities. Mr. Berger also has served as part of the SAMHSA team working on the Confidentiality of Substance Use Disorder Patient Records regulation (42 CFR Part 2). Prior to joining SAMHSA, Mr. Berger worked as a Public Health Planner for local health departments. In these positions, Mr. Berger contributed to access to care, behavioral health, community health assessment and planning, emergency preparedness and public health legislation and policy efforts.
4:15 p.m.
The Role that Privacy Policy Plays in the Initiative to Permit Patients with Complete Control of their Health Data
Deven McGraw, JD
General Counsel and Chief Regulatory Officer, Citizen Corporation; Former Deputy Director, Health Information Privacy, Office for Civil Rights, US Department of Health and Human Services; Former Director, Health Privacy Project, Center for Democracy and Technology; Former Chief Operating Officer, National Partnership for Women & Families, Redwood City, CA
General Counsel and Chief Regulatory Officer, Citizen Corporation; Former Deputy Director, Health Information Privacy, Office for Civil Rights, US Department of Health and Human Services; Former Director, Health Privacy Project, Center for Democracy and Technology; Former Chief Operating Officer, National Partnership for Women & Families, Redwood City, CA
Deven McGraw is the General Counsel and Chief Regulatory Officer for Citizen Corporation. She was previously the Deputy Director for Health Information Privacy at the HHS Office for Civil Rights (OCR) as the Deputy Director for Health Information Privacy and is the Acting Chief Privacy Officer for the HHS Office of the National Coordinator for Health IT (ONC). She is a well respected expert on the HIPAA Rules and brings to her positions a wealth of experience in both the private sector and the non-profit advocacy world. Prior to joining HHS, she was a partner in the healthcare practice of Manatt, Phelps & Phillips, LLP. She previously served as the Director of the Health Privacy Project at the Center for Democracy & Technology, and as the Chief Operating Officer at the National Partnership for Women & Families, where she provided strategic leadership and substantive policy expertise for the Partnership’s health policy agenda.
4:45 p.m.
Health Care Privacy in the Context of Global Privacy Policy
John Verdi
Vice President, Policy, Future of Privacy Forum, Washington, DC
Vice President, Policy, Future of Privacy Forum, Washington, DC
John Verdi is Vice President of Policy at the Future of Privacy Forum (FPF). John supervises FPF’s policy portfolio, which advances FPF’s agenda on a broad range of issues, including: Artificial Intelligence & Machine Learning; Algorithmic Decision-Making; Ethics; Connected Cars; Smart Communities; Student Privacy; Health; the Internet of Things; Wearable Technologies; De-Identification; and Drones.
John previously served as Director of Privacy Initiatives at the National Telecommunications and Information Administration, where he crafted policy recommendations for the US Department of Commerce and President Obama regarding technology, trust, and innovation. John led NTIA’s privacy multistakeholder process, which established best practices regarding unmanned aircraft systems, facial recognition technology, and mobile apps. Prior to NTIA, he was General Counsel for the Electronic Privacy Information Center (EPIC), where he oversaw EPIC’s litigation program.
John previously served as Director of Privacy Initiatives at the National Telecommunications and Information Administration, where he crafted policy recommendations for the US Department of Commerce and President Obama regarding technology, trust, and innovation. John led NTIA’s privacy multistakeholder process, which established best practices regarding unmanned aircraft systems, facial recognition technology, and mobile apps. Prior to NTIA, he was General Counsel for the Electronic Privacy Information Center (EPIC), where he oversaw EPIC’s litigation program.
5:15 p.m.
Chief Privacy Officers Best Practices Roundtable
Kate Black, JD
Global Privacy Officer and Senior Counsel, 23andMe; Former Federal Policy Analyst, Office of the National Coordinator for Health IT, US Department of Health and Human Services; Former Health Privacy Counsel, Center for Democracy & Technology, San Francisco, CA
Global Privacy Officer and Senior Counsel, 23andMe; Former Federal Policy Analyst, Office of the National Coordinator for Health IT, US Department of Health and Human Services; Former Health Privacy Counsel, Center for Democracy & Technology, San Francisco, CA
Kate Black’s practice focuses on data privacy and information protection issues in consumer technology, digital health, and genetics. Kate provides companies with comprehensive, practical strategies for meeting their regulatory obligations while building and maintaining public trust and advancing innovative and emerging models of health care research and delivery. She’s managed every aspect of global privacy programs, including supervising privacy assessments, providing product strategy and counseling, managing complex vendor and partner agreements, and overseeing security policy audits for leading health technology companies.
Prior to joining the firm, Kate served as 23andMe’s first Global Privacy Officer in Mountain View, CA and worked in the Office of Policy and Planning in the Office of the National Coordinator for Health IT in the U.S. Department of Health and Human Services in Washington, D.C.
Prior to joining the firm, Kate served as 23andMe’s first Global Privacy Officer in Mountain View, CA and worked in the Office of Policy and Planning in the Office of the National Coordinator for Health IT in the U.S. Department of Health and Human Services in Washington, D.C.
Ellen Marie Giblin, JD, M Ed, CIPP/US/C/G
Chief Privacy Officer and Counsel, Privacy Hub, LLC; Former North American Privacy Officer, HIPAA Privacy Officer, Privacy Counsel and GDPR Core Team, Philips; Former Head HIPAA Privacy Officer, BCH and Foundations, Boston Children’s Hospital, Boston, MA
Chief Privacy Officer and Counsel, Privacy Hub, LLC; Former North American Privacy Officer, HIPAA Privacy Officer, Privacy Counsel and GDPR Core Team, Philips; Former Head HIPAA Privacy Officer, BCH and Foundations, Boston Children’s Hospital, Boston, MA
Since, early 2003 Ellen Giblin has been providing legal and compliance advice and guidance in all aspects of global privacy, data protection, data security, cybersecurity and data breach response laws, including compliance with GDPR, HIPAA, GLBA, and the always updating state data breach, data security and disposal laws. Gained experience to be recognized as an expert in records management, risk management, vendor management, background checks under the FCRA and laws relating to monitoring employees in digital workplaces. Possesses a Senior Risk Manager level of leadership in risk recognition and upstream regulatory risk analysis. Recently, Ellen has been honored with a Ponemon Institute Fellowship, Pell Center Cyber Leadership Fellowship and an invited member of the Boston Bar Foundation Society of Fellows.
Lucia Savage, JD
Chief Privacy and Regulatory Officer, Omada Health; Former Chief Privacy Officer, Office of the National Coordinator for Health Information Technology; Former Senior Associate General Counsel, UnitedHealthcare; Former General Counsel, Pacific Business Group on Health, San Francisco, CA
Chief Privacy and Regulatory Officer, Omada Health; Former Chief Privacy Officer, Office of the National Coordinator for Health Information Technology; Former Senior Associate General Counsel, UnitedHealthcare; Former General Counsel, Pacific Business Group on Health, San Francisco, CA
Lucia Savage is a nationally recognized thought leader on health information privacy and HIPAA. Through strategic advice, she drives Omada Health’s commitment to use state-of-the-art digital technology and data science to connect humans to health care professionals and deliver clinically effective programs while maintaining the privacy and security of individual’s health information. From 2014 until 2017, Ms. Savage served as Chief Privacy Officer at the U.S. Dept. of Health and Human Services Office of the National Coordinator for Health IT.
Tracey Scraba, MPH, JD
Vice President and Chief Privacy Officer, CVS Health, Former Vice President and Chief Privacy Officer, Aetna, Hartford, CT
Vice President and Chief Privacy Officer, CVS Health, Former Vice President and Chief Privacy Officer, Aetna, Hartford, CT
Tracey Scraba is the Vice President, Chief Privacy Officer at CVS Health. She has enterprise-wide responsibility for CVS Health’s privacy program including daily operations of the privacy office, development and implementation of privacy policies and procedures, monitoring privacy compliance, information governance, incident investigation and breach response and providing privacy and security legal support.
Prior to joining CVS Health, she was the Chief Privacy Officer at Aetna. She also served as Senior Privacy and Security Counsel, Behavioral Health Counsel and Counsel for National Accounts Retiree programs. Prior to her work at Aetna, Tracey worked at the law firm of Robinson & Cole in their health law practice.
Tracey is also a graduate of the Higher Ambition Leadership Institute (HALI), a year-long multi-session program that provides leaders the opportunity to develop their capabilities, as well as contribute to the advancement of their company’s mission and purpose.
Prior to joining CVS Health, she was the Chief Privacy Officer at Aetna. She also served as Senior Privacy and Security Counsel, Behavioral Health Counsel and Counsel for National Accounts Retiree programs. Prior to her work at Aetna, Tracey worked at the law firm of Robinson & Cole in their health law practice.
Tracey is also a graduate of the Higher Ambition Leadership Institute (HALI), a year-long multi-session program that provides leaders the opportunity to develop their capabilities, as well as contribute to the advancement of their company’s mission and purpose.
Christina Solis, JD, MPH
Senior Legal Officer and Privacy Officer, University of Texas Health Science Center at Houston, Houston, TX
Senior Legal Officer and Privacy Officer, University of Texas Health Science Center at Houston, Houston, TX
Christina Solís is senior legal officer and the privacy officer at The University of Texas Health Science Center at Houston. She focuses her practice on health care law and law relating to human subjects research. She has a particular emphasis on implementing and enforcing the HIPAA Standards for Privacy of Individually Identifiable Health Information, and she advises researchers on structuring protocols to meet the Privacy Standards. In addition, Ms. Solís advises the University on a variety of health care operational issues. Ms. Solís has worked at UTHealth since 2002. Prior to coming to UTHealth, Ms. Solís practiced law in private practice in Berkeley, California, representing and advising physicians and physician practices in a variety of corporate and regulatory matters.
Iliana Peters, JD, LLM
Shareholder, Polsinelli; Former Acting Deputy Director, Health Information Privacy, Office for Civil Rights, US Department of Health and Human Services, Washington, DC (Moderator)
Shareholder, Polsinelli; Former Acting Deputy Director, Health Information Privacy, Office for Civil Rights, US Department of Health and Human Services, Washington, DC (Moderator)
liana L. Peters is a shareholder for Polsinelli, PC. For more than twelve years, she both developed health information privacy and security policy, including on emerging technologies and cyber threats, for the Department of Health and Human Services, and enforced HIPAA regulations, as both the Senior Advisor for HIPAA Enforcement for over six years, and as Acting Deputy Director for HIPAA. As a CISSP, Iliana works hard to bridge the gap between legal requirements for the security of health data and security industry best practices, so that clients can better understand data security issues and jargon. She is excited to bring her extensive experience drafting, implementing, and enforcing health privacy and security regulations and guidance to a practice that focuses on helping clients develop and implement good data privacy and security practices to avoid risk, and helping clients prepare for and recover from emerging cyber threats.