C4HCO Security and Privacy DiscussionBill JenkinsC4HCO Security and Privacy Officer16 October 2013

22

Agenda

• Introductions• What – Needs to be Protected?• How – Does it Need to be Protected?• When – Does it Need to be Protected?• Who – Assistance Sites• Questions and Answers

33

Introductions

Bill JenkinsC4HCO Security and Privacy Officerbjenkins@connectforhealthco.com720-810-0568

Security@conncectforhealthco.comPrivacy@connectforhealthco.com

44

What Needs to be Protected

• C4HCO handles:o Personally Identifiable Information (PII)o Protected Health Information (PHI)o Payment Card Industry (PCI) datao Federal Tax Information (FTI)

• From C4HCO, Assistance Sites receive –>>> PIIo Incidental exposure to the others

55

What is PII?

• OMB Memorandum M-07-16 defines Personally Identifiable Information (PII) as information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc. alone or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.o Stand-alone PII: Full name, Social Security Number, Immigration Number,

etc.o Linkable PII: Bank Account Information, Credit Card Information,

Health/Dental Policy Number, Pregnancy/Disability/Incarceration Status, etc. when attached to an identifier (stand-alone PII).

• Examples of documents that contain PII:o Single Streamline Application (SSAp), Appeals Application, Citizenship

Documents, Tax Returns, W2s/Income Verification Documents, Reports

• You may only use or disclose PII as authorized as part of your job.

66

How Does it Need to be Protected?

• Establish technical, physical, and administrative controls that:o Authorizes access to data (grant permission)o Ensures only authorized people access the data (limit access)o Use the data to do your job and then get rid of it (minimize retention)o Transmit and store data safely (lock it up)

• C4HCO has 30+ Security and Privacy Policies o Even more procedureso Only a subset applies to you! – depends on your business modelo Will take time to fully implement

• Most Relevant o Security Training and Awarenesso Incident Responseo Personnel Securityo Accountability and Risk Managemento Use Limitation

77

When Does it Need to be Protected?

• Upon receipto From C4HCOo From Customer

• While being usedo Be aware of your surroundingso Stick to the script

• While stored or retainedo Is it really needed?o Apply common senseo Two tests – your own data, answering the reporter afterwards

• When done with ito Return ito Really deleted?o Valuable scraps

88

Assistance Sites

• Partners with C4HCOo Yet independent entities

• Business Models Varyo For some, an added serviceo For some, an primary missiono Different uses of data can be permitted

• Informed Customer Consent• Permitted C4HCO use• Get it in writing!

We will all learn and grow together

9

Questions and AnswersGo for it!