Health Privacy + Security Intensive Day 2017

Intensive Day – Wednesday, Oct. 4, 2017

Intensive Days are all-day events that feature primarily small discussion groups among seasoned professionals. Intensive Days differ from workshops in that workshops are shorter and more introductory in nature.

Intensive Days are for seasoned professionals, and the discussion will be focused and advanced. Intensive Days are for deep dives into topics.

The Health Privacy and Security Intensive Day is a way to join your peers in a sophisticated series of discussions about cutting-edge issues involving privacy and security. There will be unparalleled interactivity. Most of the day will be spent in seminar-style discussion groups.

What is the Health Privacy + Security Intensive Day?

It is a special all-day event — like a “seminar within a conference” — that will occur on Wednesday, Oct. 4, 2017, the day prior to the Privacy+Security Forum. They feature small group discussions among seasoned professionals. The conversations will be focused and advanced, with unparalleled interactivity. Intensive Days differ from Workshops in that Workshops are shorter and more introductory in nature.

George Washington University Marvin Center
800 21st Street Northwest
Washington, DC 20052


Adam Greene
Adam Greene

Davis Wright Tremaine

Deborah Gersh
Deborah Gersh

Ropes & Gray

Jennifer Archie
Jennifer Archie

Latham & Watkins


Our chairs for the Health Privacy and Security Intensive Day plan the event and determine the topics for discussion.

Schedule Health Privacy + Security Intensive Day

Breaks and lunches will be with everyone present on the pre-conference day, so if you have colleagues attending workshops or Intensive Days on other topics, you will have time to network with them.

7:30am – 9:00am   Breakfast
9:00am – 10:15am   Session 1

Impact of Recent Policy and Enforcement Developments

Moderated by Adam Greene and Jennifer Archie

Record breaking HIPAA enforcement actions and more of them. Controversial guidance on the right of access, access to news media (and other third parties?) to treatment areas, ransomware, and cloud computing. What is the impact on organizations in the health care sector? Do these guidance documents represent clarifications or significant changes in policy? Do these enforcement actions require you to address compliance differently? This session will highlight some of the big recent changes and discuss their implications.

10:15am – 10:45am   Break
10:45am – 12:00pm  Session 2

Data Aggregation: Risk, Reward and Responsibility

Moderated by Deborah Gersh

When HIPAA was first enacted, the concept of maintaining the privacy of individually identifiable health information focused primarily on protecting the unauthorized use and disclosure of such information from outside parties. In recent years, the sheer volume of data retained by HIPAA covered entities and business associates has expanded the ways in which data is used, providing unique opportunities and challenges. Combining and analyzing data is critical for a variety of reasons—from continuity and efficiency of care, population health management, better understanding and managing diseases states and developing effective clinical trials. How can companies responsibly and legally aggregate and use the data? Can artificial intelligence derived from such identifiable information be used to assist in diagnosis and treatment and what data can be aggregated/shared?

12:00pm – 1:30pm Break
1:30pm – 2:45pm Session 3

Advanced Data Breach Case Studies

Moderated by Adam Greene

It’s been three years since the HIPAA Omnibus Rule revised the Breach Notification Rule, purportedly moving towards a more objective process. But what constitutes a “use” or “disclosure”? For example, is the transmission of unencrypted information a “provision of access” to unauthorized persons? What does it mean for information to be “compromised”? Does it have to be used in some manner? How do you weigh the four required breach risk assessment factors? Can strong mitigation outweigh the other factors? This session will look at some case studies where reasonable minds may definitely disagree on whether they qualify as “breaches,” considering different approaches to interpreting the regulation.

2:45pm – 3:15pm Lunch
3:15pm – 4:30pm Session 4

Managing Third Party Privacy and Security Risks

Moderated by Jennifer Archie

Third party risk management challenges abound for healthcare organizations collecting, using, sharing and handling protected health information, even where minimized or anonymized. They are frequent targets for cyber-attacks, they make extensive use of third parties, and they must manage intensive regulatory oversight. The lure of monetary gain from healthcare data draws threat actors from around the world. Successful attacks also provide visibility for those who are motivated by non-monetary or political objectives. Attacks can heavily damage the reputations and brands of healthcare organizations.. Scrutiny of the risks associated with these supply chains has taken a more central role in government and independent exams and audits. The rigor of legal and regulatory oversight continues to increase.

  • How can covered entities and service providers manage risks commensurately with the level of risk and complexity of the third party relationship?
  • How can organizations judge how well they are managing third party risk?
  • How can organizations cost effectively satisfy the heightened expectations of state and federal regulators?


The Health Privacy and Security Intensive Day will be on Wednesday, October 4, 2017.  The Privacy+Security Forum will be on Thursday, October 5, 2017 and Wednesday, October 6, 2017.  The fee for participating in the Health Privacy and Security Intensive Day is separate from the fee to participate in the Forum. You can register for the Health Privacy and Security Intensive Day independently from the main Privacy+Security Forum. Registration and fees are here.

Intensive Day Admission 2017

Early Bird

Before Aug 30, 2107

Full Price

After Aug 30, 2017

Intensive Day (price for each)




Intensive Day (price for each – academic/NGO/gov’t)