HIPAA Compliance and Electronic Protected Health Informa6on: Ignorance is not bliss!
|
|
- Diane Powers
- 8 years ago
- Views:
Transcription
1 Maxxum, Inc. HIPAA Compliance and Electronic Protected Health Informa6on: Ignorance is not bliss! Medical Device ephi Risk Iden6fica6on and Mi6ga6on
2 Webinar Overview Relevance why this topic? Risk a perspective to consider. Context the domain we re exploring. Examples 4 medical devices. Awareness now what?
3 Relevance Risk iden6fica6on and management for one class of data bearing technology is rela6vely unaddressed today. That class is the medical device. Medical device data storage of electronic Protected Health Informa6on presents breach risks in direct pa6ent care, clinical lab, and medical imaging selngs.
4 It s In The News Relevance Securing PHI in Devices Is Difficult but Essential Reprinted from REPORT ON PATIENT PRIVACY January 2011Volume 11Issue 1 When Mountain Vista Medical Center found that two portable memory cards were missing from endoscopy machines, it notified patients and retrained staff in its gastroenterology unit (see story, above). And it took an additional step: It modified the endoscopy machines to no longer use the compact memory data cards, the Mesa, Ariz., hospital said in a statement last month. This was This was the the first first breach in in recent memory memory that involved that a involved medical device, a medical but such device, equipment but such equipment can be can just be just as as vulnerable to to privacy and security and security lapses as lapses laptops or as networks. laptops or networks. And devices may pose more of a threat because of how they are made, and because hospitals and other covered entities don t always think of them the same way they think of other computer devices when it comes to securing data, says Mac McMillan, chief executive officer of CynergisTek, Inc., and chair of the privacy and security steering committee of the Health Information Management Systems Society. Part of the problem is the nature of these devices. Medical devices are kind of in a special category. They were designed to do a particular function; they were not necessarily designed with security in mind, he says. It s the same issue with printers, faxes, copiers the problem is people don t think of them as storing data. Some medical devices and equipment are not terribly sophisticated from a security standpoint, he says. Medical devices are kind of in a special category. They were designed to do a particular function; they were not necessarily designed with security in mind, he says.
5 Ponemon Study Relevance Ninety percent of healthcare organiza6ons studied had at least one data breach in the past two years. Thirty- eight percent reported more than five breach incidents. The average economic impact of data breaches over the past two years for healthcare organiza6ons in the study was $1,973,895. Fourth Annual Benchmark Study on Pa6ent Privacy & Data Security - Ponemon Ins6tute, March 2014
6 HIPAA Breaches Since 2009 Relevance 1194 breaches of 500 or more records More than 133 million patient records affected Largest breach is over 78 million records Breach types from misplaced paper to cyber attacks Two breach examples under 500 records: Walgreens 1 record, $1.44 million breach judgement Hospice of Northern Idaho s 441 record breach, $50k Commen6ng on the Hospice breach, OCR Director Leon Rodriguez said: This ac6on sends a strong message to the health care industry that, regardless of size, covered en66es must take ac6on and will be held accountable for safeguarding their pa6ents health informa6on. From U.S. Health & Human Services Office of Civil Rights on 4/13/2015 hbps://ocrportal.hhs.gov/ocr/breach
7 And It s Personal! Relevance
8 And It s Personal! Relevance Credit and iden6ty protec6on 5 family members Each individually enrolled Two years of monitoring
9 Risk
10 Our Risk Profile Risk Unmanaged! Managed! Aware! Negligent! Prepared! Unaware! Ignorant! Incompetent!
11 Today s Goal: Awareness Risk Unmanaged! Managed! Aware! In Negligent! Process! Prepared! Unaware! Ignorant! Incompetent!
12 Context Medical Devices OCR HIE ONC HHS HIPAA EHR FDA ACO SAG PHR Courts
13 ephi Context Defini6on: electronic Protected Health Informa2on (ephi) is pa6ent health informa6on created, received, stored, maintained, processed and/or transmibed in, on, or through any form of electronic means. Adapted from a HIPAA presenta6on by Marion Jenkins, PhD, FHIMSS HiMSS 15 Conference on 4/13/2015
14 ephi Context The HIPAA Security Rule: Covered En66es must protect and secure all electronic Protected Health Informa2on (ephi) against accidental or inten6onal causes of unauthorized access, thej, loss, or destruc6on, from both internal and external sources. Adapted from a HIPAA presenta6on by Marion Jenkins, PhD, FHIMSS HiMSS 15 Conference on 4/13/2015
15 Exi6ng Medical Devices Rental return Lease turn- in Re6rement (EOL) Redeployment Resale Service/repair Context
16 Medical Devices & ephi Examples
17 Small Device Big Surprise! Diagnos6c Spirometer A portable babery operated device for tes6ng respiratory volume and func6on.
18 Small Device Big Surprise! Small enough to fit in the pocket of a pair of scrubs. Holds enough ephi to require HIPAA breach no6fica6on to HHS if lost, stolen or disposed of improperly.
19 Small Device Big Surprise! ephi stored on this device: full name date of birth height and weight sex ethnicity history of asthma history of smoking
20 Small Device Big Surprise! More about this device: No user authen6ca6on Unencrypted stored data Unrestricted expor6ng Holds 2040 pa6ent records
21 Large Device Big Surprise! A line of clinical analyzer systems
22 Large Device Big Surprise! 7 analyzers were evaluated for ephi risk Records found ranged from 1 to 25,000 per device Model Pa/ent Data? ephi Elements Observed 250 Yes first name, last name, test date, test type, test result 350 Yes first name, last name, test date, test type, test result ECi Yes first name, last name, date of birth, sex, test date, test type, test result ECiQ Yes first name, last name, date of birth, sex, test date, test type, test result 5.1 Yes first name, last name, date of birth, sex, test date, test type, test result 5600 Yes first name, last name, date of birth, sex, test date, test type, test result
23 Large Device Big Surprise! More about these devices: No user authen6ca6on Unencrypted stored data Unrestricted expor6ng Breach risk: 50k to 90k pa6ent records for 7 units
24 Smarter Device S6ll Surprised! This ultrasound system has the capability of storing pa6ent data on a hard drive separate from the opera6ng system and applica6on sojware. Removal and destruc6on of the pa6ent data hard drive is easily accomplished.
25 Smarter Device S6ll Surprised! Unfortunately, data elements that qualify as ephi, such as pa6ent name, pa6ent ID, procedure date/ 6me, facility names, doctor names, and descrip6ons of pa6ent history were found on the opera6ng system hard drive.
26 Smarter Device S6ll Surprised! ephi data was also found in the pagefile.sys file on the opera6ng system hard drive. This file is used by the Windows opera6ng system to buffer informa6on before it is wriben to memory for processing.
27 ephi Detec6ve Un6l manufacturers build in ephi safeguards, we have to rely on detec6ve work to make informed choices about ephi disposi6on on medical devices. ephi The MDS 2 form (Manufacturer Disclosure Statement for Medical Device Security) is a good start.
28 ephi Detec6ve Display and Print capability Obvious Input capability Electrocardiograph Portability can be powered by an internal babery pack
29 ephi Detec6ve Block Diagram obtained from the service manual found online - Google.
30 Abundant input and output connec6vity for data transfer. ephi Detec6ve
31 ephi Detec6ve The use of Compact Flash storage media for sojware upgrades is intriguing.
32 Discovery: a common storage device. ephi Detec6ve
33 ephi Detec6ve Findings: 40 pa6ent records first name last name date of birth test date diagnos6c test results preliminary diagnosis provider name clinic loca6on
34 ephi For Sale?
35 ephi For Sale?
36 ephi For Sale?
37 ephi For Sale?
38 Our Risk Profile Risk Unmanaged! Managed! Aware! Negligent! Prepared! Unaware! Ignorant! Incompetent!
39 Awareness: Now What? Awareness Short term ac6vi6es: Confirm or iden6fy who in your organiza6on is responsible for data privacy and security on various device types Iden6fy all [poten6al] data bearing devices in your organiza6on If you are not already using it, adopt the MDS 2 form as a star6ng place to evaluate risk for current device inventory Implement some form of controlled exit for these devices Check for BAAs in place and indemnifica6on when custody transfers
40 Awareness: Now What? Applica6on Long term ac6vi6es: Develop a comprehensive asset disposi6on program that accounts for the complexi6es of ephi bearing medical devices Add ephi mi6ga6on requirements to the equipment procurement process. Ask manufacturers to provide: A completed MDS 2 form. Separate storage media for device opera6ng system/applica6on sojware and pa6ent data Encryp6on of pa6ent data storage media
41 Awareness: Now What? Applica6on Long term ac6vi6es (con6nued): Ask manufacturers to provide: Destruc6ve erasure capability for encrypted pa6ent storage media No system or applica6on logging of ephi elements to device opera6ng system/applica6on sojware storage media Indemnifica6on in the event of a data breach if manufacturer provided steps to remove ephi are followed, but do not result in an ephi free device
42 Discussion Ray Davey CTO Maxxum, Inc
43 Compliance In 3 Steps! The Guard HIPAA Education Series sponsored by: Outside Consultant Other Compliance Software Manuals or Templates Risk Assessmen Provider HIPAA ( ) HIPAA Copyright
HIPAA Breaches, Security Risk Analysis, and Audits
HIPAA Breaches, Security Risk Analysis, and Audits Derrick Hill Senior Health IT Advisor Kentucky REC What cons?tutes PHI? HIPAA provides a list of 18 iden?fiers that cons?tute PHI. Any one of these iden?fiers
More informationBuild a HIPAA- Compliant Prac5ce. Wes Strickling, Founder & CEO
Build a HIPAA- Compliant Prac5ce Wes Strickling, Founder & CEO Agenda What is HIPAA Compliance? What does it mean to your prac5ce? What should you do? Q & A What Is HIPAA Compliance? Health Insurance Portability
More informationTop Practices in Health IT Compliance. Data Breach & Leading Program Prac3ces
Top Practices in Health IT Compliance Data Breach & Leading Program Prac3ces Overview Introduc3on to ID Experts & Secure Digital Solu3ons Healthcare Data Breach Trends & Drivers Data Incident Management
More informationWhat do you need to know?
What do you need to know? DISCLAIMER Please note that the information provided is to inform our clients and friends of recent HIPAA and HITECH act developments. It is not intended, nor should it be used,
More informationHIPAA: Breach Notification By: Office of University Counsel For: Jefferson IRB Continuing Education. September 2014
HIPAA: Breach Notification By: Office of University Counsel For: Jefferson IRB Continuing Education September 2014 Introduction The HIPAA Privacy Rule establishes the conditions under which Covered Entities
More information8/3/2015. Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice
Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice Monday, August 3, 2015 1 How to ask a question during the webinar If you dialed in to this webinar on your phone
More informationHow To Find Out What People Think About Hipaa Compliance
Healthcare providers attitudes towards HIPAA compliance in 2015 Created July, 27 2015 Healthcare providers attitudes towards HIPAA compliance in 2015 Over the course of this last year the healthcare industry
More informationHIPAA Compliance: Efficient Tools to Follow the Rules
Bank of America Merrill Lynch White Paper HIPAA Compliance: Efficient Tools to Follow the Rules Executive summary Contents The stakes have never been higher for compliance with the Health Insurance Portability
More informationCovered En**es Should Periodically Audit Third Party Vendors/Business Associates Why, What, & How?
Covered En**es Should Periodically Audit Third Party Vendors/Business Associates Why, What, & How? March 27 th 12 pm EDT Moderator: Gerry Blass Panelists: Mac McMillan, Francois Bodhuin, Lou Dignam Webinar
More informationLessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd
Lessons Learned from Recent HIPAA and Big Data Breaches Briar Andresen Katie Ilten Ann Ladd Recent health care breaches Breach reports to OCR as of February 2015 1,144 breaches involving 500 or more individual
More informationAre You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style.
Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style March 27, 2013 www.mcguirewoods.com Introductions Holly Carnell McGuireWoods LLP
More informationNetwork Security and Data Privacy Insurance for Physician Groups
Network Security and Data Privacy Insurance for Physician Groups February 2014 Lockton Companies While exposure to medical malpractice remains a principal risk MIKE EGAN, CPCU Senior Vice President Unit
More informationUpdated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview
Updated HIPAA Regulations What Optometrists Need to Know Now The U.S. Department of Health & Human Services Office for Civil Rights recently released updated regulations regarding the Health Insurance
More informationIndustry leading Education
Industry leading Education Please ask questions #CGwebinar Todays slides are available http://compliancy- group.com/slides023/ Past webinars and recordings http://compliancy- group.com/webinar/ 855.85HIPAA
More informationFTC Data Security Standard
FTC Data Security Standard The FTC takes the posi6on (Being tested now in li6ga6on) that Sec6on 5 of the FTC Act requires Reasonable Security under the circumstances: that companies have reasonable controls
More informationData Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, 2014 2:15pm 3:30pm
Electronic Health Records: Data Security and Integrity of e-phi Worcester, MA Wednesday, 2:15pm 3:30pm Agenda Introduction Learning Objectives Overview of HIPAA HIPAA: Privacy and Security HIPAA: The Security
More informationHow to prepare your organization for an OCR HIPAA audit
How to prepare your organization for an OCR HIPAA audit Presented By: Mac McMillan, FHIMSS, CISM CEO, CynergisTek, Inc. Technical Assistance: 978-674-8121 or Amanda.Howell@iatric.com Audio Options: Telephone
More informationHIPAA Risk Assessments for Physician Practices
HIPAA Risk Assessments for Physician Practices Eric Sandhusen Corporate Compliance Director and Privacy Officer Lloyd Torres Director of Ambulatory HIM DISCLAIMER The statements and opinions presented
More informationProofpoint HIPAA Breach Report:
Proofpoint HIPAA Breach Report: An Analysis of HITECH Breach Notifications and Settlements, Q1 2013 Healthcare Industry Update threat protection compliance archiving & governance secure communication Contents
More informationHIPAA in an Omnibus World. Presented by
HIPAA in an Omnibus World Presented by HITECH COMPLIANCE ASSOCIATES IS NOT A LAW FIRM The information given is not intended to be a substitute for legal advice or consultation. As always in legal matters
More informationDon t Be a Victim to Data Breach Risks Protecting Your Organization From Data Breach and Privacy Risks
Don t Be a Victim to Data Breach Risks Protecting Your Organization From Data Breach and Privacy Risks Thank you for joining us. We have a great many participants in today s call. Your phone is currently
More informationAuditing Security: Lessons Learned From Healthcare Security Breaches
Auditing Security: Lessons Learned From Healthcare Security Breaches Adam H. Greene, J.D., M.P.H. Davis Wright Tremaine LLP Washington, D.C. Michael Mac McMillan CynergisTek, Inc. Austin, Texas DISCLAIMER:
More informationHIPAA Basics. Health Insurance Portability and Accountability Act of 1996
HIPAA Basics Health Insurance Portability and Accountability Act of 1996 HIPAA: What Is HIPAA? Protects the privacy of healthcare informa@on for all Americans, including the individuals you support Protects
More informationOutline. Learning Objectives 9/23/2013. HIPAA Headline
HIPAA Security: How to avoid becoming the next HIPAA Headline Marion K. Jenkins, PhD, FHIMSS Executive Vice President Healthcare 3t Systems Adjunct Faculty HC IT University of Denver MGMA Annual Meeting,
More informationOutline. Outline. What is HIPAA? I. HIPAA Compliance II. Why Should You Care? III. What Should You Do Now?
Outline MOR-OF Education and Medical Expo August 23, 2014 Tatiana Melnik Melnik Legal PLLC tatiana@melniklegal.com 734-358-4201 Tampa, FL I. HIPAA Compliance II. Why Should You Care? A. Market Pressure
More informationSecurity Awareness. Top Security Issues. Office of Informa(on Technology Informa5on Security Department 2011-2012 BE CYBER SAFE
Security Awareness Office of Informa(on Technology Informa5on Security Department 2011-2012 Top Security Issues BE CYBER SAFE 1 Top Security Items for 2011-2012 Passwords Social Networking Phishing Malware,
More informationSENDING HIPAA COMPLIANT EMAILS 101
White Paper SENDING HIPAA COMPLIANT EMAILS 101 THE SAFEST WAYS TO SEND PHI 2015 SecurityMetrics Sending HIPAA Compliant Emails 101-1 SENDING HIPAA COMPLIANT EMAILS 101 THE SAFEST WAYS TO SEND PHI HIPAA
More informationHIPAA Security Education. Updated May 2016
HIPAA Security Education Updated May 2016 Course Objectives v This computer-based learning course covers the HIPAA, HITECH, and MSHA Privacy and Security Program which includes relevant Information Technology(IT)
More informationHIPAA Privacy and Security
HIPAA Privacy and Security Cindy Cummings, RHIT February, 2015 1 HIPAA Privacy and Security The regulation is designed to safeguard Protected Health Information referred to PHI AND electronic Protected
More informationPHI- Protected Health Information
HIPAA Policy 2014 The Health Insurance Portability and Accountability Act is a federal law that protects the privacy and security of patients health information and grants certain rights to patients. Clarkson
More informationSecurity Considerations for the Cloud
June 6, 2012 Security Considerations for the Cloud Presented by: Mac McMillan CEO CynergisTek, Inc. Chair, HIMSS Privacy & Security Policy Task Force 1 2012 NIST/OCR Conference Agenda Threat Implications
More informationTHE HIPAA TANGO CHOREOGRAPHING PRIVACY AND SECURITY UNDER THE FINAL RULE
THE HIPAA TANGO CHOREOGRAPHING PRIVACY AND SECURITY UNDER THE FINAL RULE The Speakers Cinda Velasco Attorney, Manager, Privacy Officer Patient Safety and Risk Management Trish Lugtu Senior Manager MMIC
More informationHIPAA PRIVACY AND SECURITY AWARENESS. Covering Kids and Families of Indiana April 10, 2014
HIPAA PRIVACY AND SECURITY AWARENESS Covering Kids and Families of Indiana April 10, 2014 GOALS AND OBJECTIVES The goal is to provide information to you to promote personal responsibility and behaviors
More informationHIPAA and the HITECH Act Privacy and Security of Health Information in 2009
HIPAA and the HITECH Act Privacy and Security of Health Information in 2009 What is HIPAA? Health Insurance Portability & Accountability Act of 1996 Effective April 13, 2003 Federal Law HIPAA Purpose:
More informationHIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics
HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 5. 2. Security Standards - Organizational, Security Policies Standards & Procedures, - Administrative and Documentation Safeguards
More informationElectronic Communication In Your Practice. How To Use Email & Mobile Devices While Maintaining Compliance & Security
Electronic Communication In Your Practice How To Use Email & Mobile Devices While Maintaining Compliance & Security Agenda 1 HIPAA and Electronic Communication 2 3 4 Using Email In Your Practice Mobile
More informationHealthcare and IT Working Together. 2013 KY HFMA Spring Institute
Healthcare and IT Working Together 2013 KY HFMA Spring Institute Introduction Michael R Gilliam Over 7 Years Experience in Cyber Security BA Telecommunications Network Security CISSP, GHIC, CCFE, SnortCP,
More informationAnatomy of a Healthcare Data Breach
BUSINESS WHITE PAPER Anatomy of a Healthcare Data Breach Prevention and remediation strategies Anatomy of a Healthcare Data Breach Table of Contents 2 Increased risk 3 Mitigation costs 3 An Industry unprepared
More informationEnforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance
Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance Iliana Peters, JD, LLM, HHS Office for Civil Rights Kevin
More informationNationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011
Nationwide Review of CMS s HIPAA Oversight Brian C. Johnson, CPA, CISA Wednesday, January 19, 2011 1 WHAT I DO Manage Region IV IT Audit and Advance Audit Technique Staff (AATS) IT Audit consists of 8
More informationNew HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010
New HIPAA Breach Notification Rule: Know Your Responsibilities Loudoun Medical Group Spring 2010 Health Information Technology for Economic and Clinical Health Act (HITECH) As part of the Recovery Act,
More informationTrust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits
HIPAA Breaches, Security Risk Analysis, and Audits Derrick Hill Senior Health IT Advisor Kentucky REC Why Does Privacy and Security Matter? Trust Who Must Comply with HIPAA Rules? Covered Entities (CE)
More informationACCOUNTABLE HEALTHCARE IPA HIPAA PRIVACY AND SECURITY TRAINING. By: Jerry Jackson Compliance and Privacy Officer
ACCOUNTABLE HEALTHCARE IPA HIPAA PRIVACY AND SECURITY TRAINING By: Jerry Jackson Compliance and Privacy Officer 1 1 Introduction Welcome to Privacy and Security Training course. This course will help you
More informationHIPAA Enforcement. Emily Prehm, J.D. Office for Civil Rights U.S. Department of Health and Human Services. December 18, 2013
Office of the Secretary Office for Civil Rights () HIPAA Enforcement Emily Prehm, J.D. Office for Civil Rights U.S. Department of Health and Human Services December 18, 2013 Presentation Overview s investigative
More information2009 HIMSS Analytics Report: Evaluating HITECH s Impact on Healthcare Privacy and Security
2009 HIMSS Analytics Report: Evaluating HITECH s Impact on Healthcare Privacy and Security Commissioned by ID Experts November 2009 INTRODUCTION Healthcare breaches are on the rise; according to the 2009
More informationNine Network Considerations in the New HIPAA Landscape
Guide Nine Network Considerations in the New HIPAA Landscape The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Omnibus Final Rule, released January 2013, introduced some significant
More informationData Managers Interest Group. Research. April 17, 2012
Data Managers Interest Group Institute of Clinical and Translational Research April 17, 2012 Privacy & Security Contacts hipaa@jhmi.edu network.security@jhmi.edu IT Help Desk 410.735.4357 3 Or you can
More informationOverview of the HIPAA Security Rule
Office of the Secretary Office for Civil Rights () Overview of the HIPAA Security Rule Office for Civil Rights Region IX Alicia Cornish, EOS Sheila Fischer, Supervisory EOS Topics Upon completion of this
More informationHIPAA Privacy, Security, Breach, and Meaningful Use. CHUG October 2012
HIPAA Privacy, Security, Breach, and Meaningful Use Practice Requirements for 2012 CHUG October 2012 The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Standards for Privacy of Individually
More informationSecurity Is Everyone s Concern:
Security Is Everyone s Concern: What a Practice Needs to Know About ephi Security Mert Gambito Hawaii HIE Compliance and Privacy Officer July 26, 2014 E Komo Mai! This session s presenter is Mert Gambito
More informationEvolution of Cyber Security in Healthcare
Evolution of Cyber Security in Healthcare Spencer L SooHoo, PhD Director, Scientific Computing & Chief Security Officer Enterprise Information Services Healthcare and Security How we got here Healthcare
More informationArt Gross President & CEO HIPAA Secure Now! How to Prepare for the 2015 HIPAA Audits and Avoid Data Breaches
Art Gross President & CEO HIPAA Secure Now! How to Prepare for the 2015 HIPAA Audits and Avoid Data Breaches Speakers Phillip Long CEO at Business Information Solutions Art Gross President & CEO of HIPAA
More informationHealthcare IT (HIT) Strategic Planning & Budgeting MARCH 26, 2014
Healthcare IT (HIT) Strategic Planning & Budgeting MARCH 26, 2014 Agenda Introduction / Session Overview HIT Budgeting 101 Security and Compliance EHR budgeting HIT Where Are We Going Q & A 2 Copyright
More informationData Breach Response Planning: Laying the Right Foundation
Data Breach Response Planning: Laying the Right Foundation September 16, 2015 Presented by Paige M. Boshell and Amy S. Leopard babc.com ALABAMA I DISTRICT OF COLUMBIA I FLORIDA I MISSISSIPPI I NORTH CAROLINA
More informationWelcome to ChiroCare s Fourth Annual Fall Business Summit. October 3, 2013
Welcome to ChiroCare s Fourth Annual Fall Business Summit October 3, 2013 HIPAA Compliance Regulatory Overview & Implementation Tips for Providers Agenda Green packet Overview of general HIPAA terms and
More informationHIPAA Privacy Policy (Revised Feb. 4, 2015)
Valley Bone & Joint Clinic HIPAA Privacy Policy (Revised Feb. 4, 2015) 1. PURPOSE Valley Bone & Joint Clinic is commi2ed to protec6ng the rights of our pa6ents. In compliance with the Health Insurance
More informationSafeguard Your Hospital. Six Proactive Best Practices to Improve Healthcare Data Security
Safeguard Your Hospital Six Proactive Best Practices to Improve Healthcare Data Security April 2015 A Piece of Paper Can t Cause that Much Harm. Or Can It? Imagine a piece of paper arriving at ABC Hospital
More informationHITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?
HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What? Introduction This material is designed to answer some of the commonly asked questions by business associates and other organizations
More informationGreenway Marketplace. Hear from GSG Compliance & White Plume November 14, 2013
Greenway Marketplace Hear from GSG Compliance & White Plume November 14, 2013 Marketplace Mission Statement To enhance the Greenway customer user experience by offering innovative, forwardthinking technologies
More informationWhy Lawyers? Why Now?
TODAY S PRESENTERS Why Lawyers? Why Now? New HIPAA regulations go into effect September 23, 2013 Expands HIPAA safeguarding and breach liabilities for business associates (BAs) Lawyer is considered a business
More informationHealthcare Informa/on at Risk: Prac/cal Strategies to Avoid Breaches
Healthcare Informa/on at Risk: Prac/cal Strategies to Avoid Breaches Sam Pierre- Louis, CISSP- ISMP - - MDAnderson Cancer Center David Houlding, CISSP, CIPP - - Intel David S. Finn, CISA, CISM, CRISC -
More informationHIPAA and Health Information Privacy and Security
HIPAA and Health Information Privacy and Security Revised 7/2014 What Is HIPAA? H Health I Insurance P Portability & A Accountability A - Act HIPAA Privacy and Security Rules were passed to protect patient
More informationReporting of HIPAA Privacy/Security Breaches. The Breach Notification Rule
Reporting of HIPAA Privacy/Security Breaches The Breach Notification Rule Objectives What is the HITECH Act? An overview-what is Protected Health Information (PHI) and can I protect patient s PHI? What
More informationDecrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use
Click to edit Master title style Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use Andy Petrovich, MHSA, MPH M-CEITA / Altarum Institute April 8, 2015 4/8/2015 1 1 Who is M-CEITA?
More informationSecurity Compliance, Vendor Questions, a Word on Encryption
Security Compliance, Vendor Questions, a Word on Encryption Alexis Parsons, RHIT, CPC, MA Director, Health Information Services Security/Privacy Officer Shasta Community Health Center aparsons@shastahealth.org
More informationHIPAA and HITECH Compliance for Cloud Applications
What Is HIPAA? The healthcare industry is rapidly moving towards increasing use of electronic information systems - including public and private cloud services - to provide electronic protected health
More informationHIMSS Security Survey
NOvember 2011 HIMSS Security Survey Supported by: www.himss.org 2011 HIMSS Security Survey Final Report November 2, 2011 Now in its fourth year, the 2011 HIMSS Security Survey reports the opinions of information
More informationPlease Read. Apgar & Associates, LLC apgarandassoc.com P. O. Box 80278 Portland, OR 97280 503-384-2538 877-376-1981 503-384-2539 Fax
Please Read This business associate audit questionnaire is part of Apgar & Associates, LLC s healthcare compliance resources, Copyright 2014. This questionnaire should be viewed as a tool to aid in evaluating
More informationSan Francisco Chapter. Presented by Mike O. Villegas, CISA, CISSP
Presented by Mike O. Villegas, CISA, CISSP Agenda Information Security (IS) Vision at Newegg.com Typical Issues at Most Organizations Information Security Governance Four Inter-related CoBIT Domains ISO
More informationHIPAA Privacy & Security Training for Clinicians
HIPAA Privacy & Security Training for Clinicians Agenda This training will cover the following information: Overview of Privacy Rule and Security Rules Using and disclosing Protected Health Information
More informationDocument Imaging Solutions. The secure exchange of protected health information.
The secure exchange of protected health information. 2 Table of contents 3 Executive summary 3 The high cost of protected health information being at risk 4 The compliance officer s dilemma: keeping PHI
More informationCreating Stable Security & Compliance Relationships
Creating Stable Security & Compliance Relationships David Holtzman JD, CIPP/G VP, Compliance CynergisTek, Inc. James Wieland JD Principal Ober Kaler Welcome The slides for today s webinar are available
More informationHIPAA Happenings in Hospital Systems. Donna J Brock, RHIT System HIM Audit & Privacy Coordinator
HIPAA Happenings in Hospital Systems Donna J Brock, RHIT System HIM Audit & Privacy Coordinator HIPAA Health Insurance Portability and Accountability Act of 1996 Title 1 Title II Title III Title IV Title
More informationRSA SECURE WEB ACCESS FOR HEALTHCARE ENVIRONMENTS
RSA SECURE WEB ACCESS FOR HEALTHCARE ENVIRONMENTS Security solutions for patient and provider access AT A GLANCE Healthcare organizations of all sizes are responding to the demands of patients, physicians,
More informationPoten&al Impact of FDA Regula&on of EMRs. October 27, 2010
Poten&al Impact of FDA Regula&on of EMRs October 27, 2010 Agenda The case for regula&ng Impact on manufacturers Impact on providers Recommenda&ons and best prac&ces 2 A Medical Device Is an instrument,
More informationCYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION. Robert N. Young, Director Carruthers & Roth, P.A. Email: rny@crlaw.com Phone: (336) 478-1131
CYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION Robert N. Young, Director Carruthers & Roth, P.A. Email: rny@crlaw.com Phone: (336) 478-1131 TOPICS 1. Threats to your business s data 2. Legal obligations
More informationBreaches. Complying with the HIPAA Omnibus Final Rule. Important Definitions. Protected Health Information Includes HIPAA PRIVACY 3/2/2014
Breaches Complying with the HIPAA Omnibus Final Rule You Can Be Successful! Advocate Medical Group in Chicago had 4 desktop computers taken in a burglary that contained the personal information of over
More informationBrief. The BakerHostetler Data Security Incident Response Report 2015
Brief The BakerHostetler Data Security Incident Response Report 2015 The rate of disclosures of security incidents in 2015 continues at a pace that caused many to call 2013 and then 2014 the year of the
More informationHealthcare to Go: Securing Mobile Healthcare Data
Healthcare to Go: Securing Mobile Healthcare Data Lee Kim, Esq. SANS Mobile Device Security Summit 2013 May 30, 2013 Copyright 2013 Lee Kim 1 Why Information Security is Essential for Healthcare Safeguard
More informationOCR Reports on the Enforcement. Learning Objectives 4/1/2013. HIPAA Compliance/Enforcement (As of December 31, 2012) HCCA Compliance Institute
OCR Reports on the Enforcement of the HIPAA Rules HCCA Compliance Institute April 22, 2013 David Holtzman Sr. Health IT & Privacy Specialist U.S. Department of Health and Human Services Office for Civil
More informationOCR Reports on the Enforcement. Learning Objectives
OCR Reports on the Enforcement of the HIPAA Rules HCCA Compliance Institute April 22, 2013 David Holtzman Sr. Health IT & Privacy Specialist U.S. Department of Health and Human Services Office for Civil
More informationHIPAA Training for Hospice Staff and Volunteers
HIPAA Training for Hospice Staff and Volunteers Hospice Education Network Objectives Explain the purpose of the HIPAA privacy and security regulations Name three patient privacy rights Discuss what you
More informationNEW PERSPECTIVES. Professional Fee Coding Audit: The Basics. Learn how to do these invaluable audits page 16
NEW PERSPECTIVES on Healthcare Risk Management, Control and Governance www.ahia.org Journal of the Association of Heathcare Internal Auditors Vol. 32, No. 3, Fall, 2013 Professional Fee Coding Audit: The
More informationWhat s New with HIPAA? Policy and Enforcement Update
What s New with HIPAA? Policy and Enforcement Update HHS Office for Civil Rights New Initiatives Precision Medicine Initiative (PMI), including Access Guidance Cybersecurity Developer portal NICS Final
More informationAssessing Your HIPAA Compliance Risk
Assessing Your HIPAA Compliance Risk Jennifer Kennedy, MA, BSN, RN, CHC National Hospice and Palliative Care Organization HIPAA Security Rule All electronic protected health information (PHI and EPHI)
More informationHIPAA initially went into effect April 14, 2003. HIPAA is a set of rules that is to be followed by doctors, hospitals and other health care providers.
HIPAA Health Insurance Portability and Accountability Act HIPAA initially went into effect April 14, 2003 HIPAA is a set of rules that is to be followed by doctors, hospitals and other health care providers.
More informationUnderstanding HIPAA Regulations and How They Impact Your Organization!
Understanding HIPAA Regulations and How They Impact Your Organization! Presented by: HealthInfoNet & Systems Engineering! April 25 th 2013! Introductions! Todd Rogow Director of IT HealthInfoNet Adam Victor
More informationDisclaimer 8/8/2014. Current Developments in Privacy and Security Rule Enforcement
Office of the Secretary Office for Civil Rights () Current Developments in Privacy and Security Rule Enforcement Michigan Medical Billers Association Andrew C. Kruley, J.D. Equal Opportunity Specialist
More informationUniversity Healthcare Physicians Compliance and Privacy Policy
Page 1 of 11 POLICY University Healthcare Physicians (UHP) will enter into business associate agreements in compliance with the provisions of the Health Insurance Portability and Accountability Act of
More informationBusiness Associates, HITECH & the Omnibus HIPAA Final Rule
Business Associates, HITECH & the Omnibus HIPAA Final Rule HIPAA Omnibus Final Rule Changes Business Associates Marissa Gordon-Nguyen, JD, MPH Health Information Privacy Specialist Office for Civil Rights/HHS
More informationUnderstanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions
Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions Table of Contents Understanding HIPAA Privacy and Security... 1 What
More informationPresented by Jack Kolk President ACR 2 Solutions, Inc.
HIPAA 102 : What you don t know about the new changes in the law can hurt you! Presented by Jack Kolk President ACR 2 Solutions, Inc. Todays Agenda: 1) Jack Kolk, CEO of ACR 2 Solutions a information security
More informationPage 1. NAOP HIPAA and Privacy Risks 3/11/2014. Privacy means being able to have control over how your information is collected, used, or shared;
Page 1 National Organization of Alternative Programs 2014 NOAP Educational Conference HIPAA and Privacy Risks Ira J Rothman, CPHIMS, CIPP/US/IT/E/G Senior Vice President - Privacy Official March 26, 2014
More informationThe Importance of Perimeter Security
REPRINT FEBRUARY 2013 healthcare financial management association hfma.org a new approach to IT security FEATURE STORY REPRINT FEBRUARY 2013 healthcare financial management association hfma.org a new approach
More informationManaging Cyber & Privacy Risks
Managing Cyber & Privacy Risks NAATP Conference 2013 NSM Insurance Group Sean Conaboy Rich Willetts SEAN CONABOY INSURANCE BROKER NSM INSURANCE GROUP o Sean has been with NSM Insurance Group for the past
More informationCompliance Challenges. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard. Increased Audits & On-site Investigations
Enabling a HITECH & HIPAA Compliant Organization: Addressing Meaningful Use Mandates & Ensuring Audit Readiness Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard Compliance Mandates Increased
More informationQ: How does a provider know if their Email system has encryption? Do big email services (gmail, yahoo, hotmail, etc.) have built-in encryption?
Q: How does a provider know if their Email system has encryption? Do big email services (gmail, yahoo, hotmail, etc.) have built-in encryption? A. Most e-mail systems do not include encryption. There are
More informationHIPAA Policy, Protection, and Pitfalls ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS
HIPAA Policy, Protection, and Pitfalls Overview HIPAA Privacy Basics What s covered by HIPAA privacy rules, and what isn t? Interlude on the Hands-Off Group Health Plan When does this exception apply,
More informationTop HIPAA Hazards and How to Avoid Them
Top HIPAA Hazards and How to Avoid Them HIPAA penalties are getting bigger and bigger, and are almost always issued for inadvertent mistakes. MPA monitors the Office of Civil Rights (OCR) HIPAA enforcements
More informationMeaningful Use and Security Risk Analysis
Meaningful Use and Security Risk Analysis Meeting the Measure Security in Transition Executive Summary Is your organization adopting Meaningful Use, either to gain incentive payouts or to avoid penalties?
More information