September 2014 Newsletter

This Month's Focus:

Obligations of HIPAA Business Associates

HIPAA Business Associates

Business associates are subject to a variety of reporting requirements, including breaches of unsecured protected health information, impermissible uses and disclosures that do not rise to the level of a breach, security incidents, and state law requirements. This months feature article addresses the differences between the varying incident reporting requirements and identifies options for operationalizing the requirements and addressing incident reporting in contracts. Without understanding and strategically addressing these various requirements, HIPAA business associates may find themselves agreeing to whatever terms the covered entity seeks and ending up in a quagmire of hundreds of varying customer breach notification obligations that may not be achievable in practice.

Click here to read more on this subject.

ADDITIONAL INFORMATION

The following articles can be found on Authorities on Risk Assurance, the Shared Assessments blog:

SAVE THE DATE

2015 Shared Assessments Summit

Join us for the 2015 Shared Assessments Summit

Four Seasons Hotel - Baltimore

Schedule of Events:

April 27: SIG 101 & AUP 101 Pre-Conference Workshop(s)

April 28: TBD Pre-Conference Workshop(s)

April 29: Shared Assessments Summit (full day session)

April 30: Shared Assessments Summit (morning session)

May 1: *CTPRP Certification Workshop & Exam

*The Shared Assessments Program is pleased to announce the launch of the Certified Third Party Risk Professional (CTPRP) program in January 2015. Individuals who pass the CTPRP examination and successfully comply with the requirements to earn and maintain the certification have a thorough working knowledge of third party risk management concepts and principles. More information and a formal announcement will be released in the near future.

Registration, including Member and early bird discounts, will be provided soon. To learn more about sponsorship opportunities, contact us at [email protected].

SHARED ASSESSMENTS PROGRAM

& MEMBER SPOTLIGHT

Hear from Shared Assessments Members at these upcoming events:

Shared Assessments Steering Committee Member, Rocco Grillo, Managing Director, Protiviti, Inc.

IEF Cybersecurity in the Global Energy Sector
October 9, 2014 - Washington, DC Learn more
CLM Cyber Liability Summit
October 15, 2014 - New York, NY Learn more

Shared Assessments Vice Chair, Jonathan Dambrot, CEO and Co-Founder, Prevalent, Inc.

Special Event: Third Party Security and Application Seminar and Dinner - Charter House Restaurant
October 28, 2014 - Weehawken, NJ Learn more

Members Only

To promote your upcoming speaking events here, please send details to Kelly Wagner, Project Manager, The Santa Fe Group.

Presentation on Demand

Watch Shared Assessments Program Director, Brad Keller, The Santa Fe Group, and Shared Assessments Vice-Chair, Jonathan Dambrot, Prevalent, Inc., discuss Incident Response and Third Party Risk.

Watch now

ASK THE EXPERTS

Commonly asked questions asked and answered

Question:

My company annually completes 30+ questionnaires from financial services companies, healthcare organizations and to various other sector clients. Questions to most extent are repetitive. I was wondering if there is a service that Shared Assessments provides to vendors who fill out questionnaires.

Answer:

The Shared Assessments Standard Information Gathering (SIG) questionnaire was designed to address your situation. The SIG is used by companies wishing to conduct risk management vendor due diligence. It was also designed to provide service providers with an easy to use questionnaire that can be completed and provided to their clients. The SIG is currently used by service providers across the globe to respond to customer questionnaires. In this way, rather than completing a substantial number of different proprietary questionnaires from client's, a service provider can complete the SIG once and provide it to multiple clients. Many service providers also use the SIG to respond to requests for proposals (RFP's) to help identify the breadth of their IT and data security practices.

FEATURE ARTICLE

No Secrets: Reporting Obligations of HIPAA Business Associates

By Adam Greene

J.D., M.P.H., Partner,
Davis Wright Tremaine LLP

Once upon a time, privacy and information security were an afterthought during contract negotiations. But breach notification has fundamentally changed the process, causing organizations to become increasingly concerned with their service providers' privacy and security practices. Breach reporting time periods and breach indemnification costs can be the most hotly contested provisions in a contract negotiation.

MEMBERSHIP

Interested in Becoming a Shared Assessments Member?

Contact Julie Lebo, VP Member Relations, at
(703) 533-7256 or by Email

Shared Assessments would like to welcome our newest Members and Partners:

RESOURCES

OCC Guidance 2013-29

OCC BULLETIN 2014-41

PCI DSS AND PA-DSS VERSION 3.0

Download press release

Download standards

PCI DSS REQUIREMENT 12.8

Download press release

Download standards

Federal Reserve Guidance on Managing Outsourcing Risk

Download

ISO/IEC 27001:2013

Download

NIST: Framework for Improving Critical Infrastructure Cybersecurity

Download

Future Topic Suggestions

Do you have a topic you'd like to see covered in an upcoming newsletter or presented on a future monthly Member Forum call?

Send your ideas to Kelly Wagner, Project Manager for Shared Assessments.

Guest Bloggers

Interested in serving as a guest blogger on the Shared Assessments Authorities on Risk Assurance blog? Contact Kelly Wagner, Project Manager for Shared Assessments.

Read our Guest Blogger Guidelines

Career Opportunities

To learn more about possible career opportunities with The Santa Fe Group and Shared Assessments Program, send your inquires to [email protected]

CONNECT