Health Privacy + Security Intensive Day 2016

Intensive Day – Monday, Oct. 24, 2016

Intensive Days are all-day events that feature primarily small discussion groups among seasoned professionals. Intensive Days differ from workshops in that workshops are shorter and more introductory in nature.

Intensive Days are for seasoned professionals, and the discussion will be focused and advanced. Intensive Days are for deep dives into topics.

The Health Privacy and Security Intensive Day is a way to join your peers in a sophisticated series of discussions about cutting-edge issues involving privacy and security. There will be unparalleled interactivity. Most of the day will be spent in seminar-style discussion groups.

What is the Health Privacy + Security Intensive Day?

It is a special all-day event — like a “seminar within a conference” — that will occur on Monday, Oct. 24, 2016, the day prior to the Privacy+Security Forum. They feature small group discussions among seasoned professionals. The conversations will be focused and advanced, with unparalleled interactivity. Intensive Days differ from Workshops in that Workshops are shorter and more introductory in nature.

George Washington University Marvin Center
800 21st Street Northwest
Washington, DC 20052


Heather Sussman
Heather Sussman

Ropes & Gray

Adam Greene
Adam Greene

Davis Wright Tremaine

Jennifer Archie
Jennifer Archie

Latham & Watkins


Our chairs for the Health Privacy and Security Intensive Day plan the event and determine the topics for discussion.

Schedule Health Privacy + Security Intensive Day

Breaks and lunches will be with everyone present on the pre-conference day, so if you have colleagues attending workshops or Intensive Days on other topics, you will have time to network with them.


Conference Materials

7:30am – 9:00am   Breakfast
9:00am – 10:15am   Session 1

Health Data Stewardship – Meeting the Challenge

Moderated by Jennifer Archie

What are the challenges for businesses collecting, processing, transferring, sharing and disposing of health data in today’s complex health industry ecosystem?  How are providers, businesses and vendors meeting these challenges?

What are the challenges with and successful strategies for obtaining valid consents from individual consumers or patient around the globe to enable new data initiatives – are de-identification, pseudonymization, or anonymization workable (or potential alternative) solutions? Even so, what challenges remain?

How are peer companies implementing “privacy analyses” versus “privacy impact assessments”? What do they look like and what are challenges that providers or businesses face with these assessments?  What are practical solutions to these challenges?

Room 309

10:15am – 10:45am   Break
10:45am – 12:00pm  Session 2

What Is Health Data and Do Definitions Matters?

Moderated by Heather Egan Sussman

How is “health data” defined by law, or by common understanding?  Does HIPAA provide the right framework for thinking about “health data” – what are the challenges of applying this definition outside of the HIPAA context?

How do laws and regulators define “health data” in Europe or elsewhere and are there benefits or costs to adopting these definitions in a global business environment?

What are the competing business reasons we may want to have finer versus broader definitions of “health data” – and why do definitions even matter?

How do peer businesses solve tensions of competing regulatory regimes – for example, when some business lines fall inside versus outside highly regulated spheres?

Is there a pathway for finding common ground?

Room 309

12:00pm – 1:30pm Lunch
1:30pm – 2:45pm Session 3

Managing Third-Party Risk for Health Data

Moderated by Adam Greene

What level of due diligence and monitoring of vendors does HIPAA require? How does this differ from the FTC’s approach? What about outside of the HIPAA context?

What is the best way to identify which vendors pose the most risk when it comes to health data?

Where HIPAA does not require a business associate agreement, what is best practice?

Benefits and drawbacks security questionnaires, third-party assessments, certifications, and other assessment tools.

What privacy and security provisions are appropriate when the services involve the processing of health data, particularly when we move beyond the or outside of HIPAA requirements?

Room 309

2:45pm – 3:15pm Break
3:15pm – 4:30pm Session 4

Health Data Breaches

Moderated by Jennifer Archie

Healthcare providers average less than 6% of their IT budgets on security.  But outside attacks on healthcare data are increasing exponentially, as personal health information is by some estimates 50 times more valuable on the black market than financial information.

The last roundtable of the day will explore advanced topics in healthcare data breach planning and response, including:

What are the hallmarks of an incident response plan that works in a crisis, vs. one that merely looks good on paper before a crisis?

How should cooperation and reporting and liability-shifting work in the Vendor/Covered Entity relationship in practice, and on paper?

How should one respond to ransomware, DDoS and other non PHI attacks?

When should external advisors be hired?

What should one expect from post-breach or FTC investigations?

When is information “compromised” for purposes of a HIPAA breach risk assessment?

Room 309


The Health Privacy and Security Intensive Day will be on Monday, October 24, 2016.  The Privacy+Security Forum will be on Tuesday, October 25, 2016 and Wednesday, October 26, 2016.  The fee for participating in the Health Privacy and Security Intensive Day is separate from the fee to participate in the Forum. You can register for the Health Privacy and Security Intensive Day independently from the main Privacy+Security Forum. Registration and fees are here.

Intensive Day Admission 2016

Genius Bird

before April 30, 2016

Early Bird

before August 30, 2016

Full Price

after August 30, 2016

Intensive Day (price for each)




Intensive Day (price for each – academic/NGO/gov’t)