PREP Course #23: Privacy and IT Security for Researchers
|
|
- Elinor Campbell
- 8 years ago
- Views:
Transcription
1 PREP Course #23: Privacy and IT Security for Researchers Presented by: Emmelyn Kim, Office of Research Compliance & Debbie Wright, Office of Corporate Compliance
2 CME Disclosure Statement The North Shore LIJ Health System adheres to the ACCME s new Standards for Commercial Support. Any individuals in a position to control the content of a CME activity, including faculty, planners, and managers, are required to disclose all financial relationships with commercial interests. All identified potential conflicts of interest are thoroughly vetted by the North Shore-LIJ for fair balance and scientific objectivity and to ensure appropriateness of patient care recommendations. Course Director, Kevin Tracey, has disclosed a commercial interest in Setpoint, Inc. as the cofounder, for stock and consulting support. He has resolved his conflicts by identifying a faculty member to conduct content review of this program who has no conflicts. Speakers Emmelyn Kim & Debbie Wright, have nothing to disclose. 2
3 Today s Objectives Identify various privacy and IT security issues that can occur in the research setting Acquire techniques to manage privacy and IT security risks in research 3
4 Today We Will Discuss HIPAA Privacy & Security related regulatory requirements Privacy and security risks in the current environment Techniques to reduce potential privacy and IT security risks in research Use of Business Associate Agreements Resources available to mitigate risks 4
5 Question: Where do Privacy & Security Requirements Come From? 5
6 Privacy & Security Regulatory Requirements HIPAA: Health Insurance Portability and Accountability Act Federal law to facilitate continuity of care and adds protections for health information: 1. HIPAA Privacy Rule Governs use and disclosure of protected health information Applies to all PHI including oral, written, and electronic 2. HIPAA Security Rule Governs security standards for protecting health information Only applies to electronic PHI 6
7 To Whom Does HIPAA Apply? A) Everyone B) Only covered entities (e.g. Provider, facility or organization that conducts health care operations involving creation and transmission of PHI) C) Researchers that are not part of a covered entity D) Researchers collecting de-identified data 7
8 PHI A Quick Review PHI = Protected Health Information Individually identifiable health information (e.g. oral, written or electronic) collected or stored Associated or derived from healthcare service event such as diagnosis or treatment, payment or operations Within medical record or designated record set 8
9 What are the 18 HIPAA Identifiers? 1. Name 2. Geographic location 3. Elements of dates 4. Telephone # 5. Fax # 6. Address 7. Social Security # 8. Medical Record 9. Health Plan Beneficiary # 10. Account # 11. Certificate/license # 12. VIN, serial #s, license plate #s 13. Device identifiers/serial # 14. Web URLs 15. IP Address #s 16. Biometric Identifiers 17. Full face, photographic images 18. Other unique identifying #, characteristic, or code 9
10 Beyond HIPAA Value and Importance of privacy & security: Protecting valuable research data Intellectual property Public trust fosters research Protection of research subjects from harm and preservation of rights is essential to ethical research 1 1. Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. 10
11 What Are Main Concepts of HIPAA Privacy? 1. With some exceptions, PHI can only be used, accessed, disclosed with patient authorization Two important exceptions: health care operations (eg. treatment, payment) and education 2. Patients have the right to understand and control use of their PHI 11
12 What is the Main Concept of HIPAA Security? Physical, administrative and technical safeguards are required to ensure the confidentiality, integrity and security of electronic protected health information 12
13 Who is Looking at This? The Office for Civil Rights (OCR) enforces both the Privacy & Security rules Performs regular audits of covered entities Increased audits starting 2011 Audit protocol and findings listed on 13
14 Privacy and Security Risks in the Current Environment and Risk Reduction Techniques
15 What Are Some Risks You Can Think of Technology trends: in the Current Environment? -Use of electronic data and systems (e.g. EMR, electronic data capture, research data from various sources, etc.) -Use of portable devices (e.g. smart phones, laptops, tablets, flash drives, etc.) -Cloud based use for maintenance and storage of data -Use of social media and public forums Security Issues: -Data breaches identity theft prevention -Data integrity or loss disaster recovery plans 15
16 Challenges of Protecting Privacy and Security Image from:
17 Recent Headlines US HHS settles HIPAA security cases: Alaska DHHS for $1.7 million - USB hard drive with ephi was stolen from the vehicle of an employee Phoenix Cardiac Surgery for $100,000 posting patient appointments on a publicly accessible internet-based calendar BCBST for $1.5 million - 57 unencrypted computer hard drives containing PHI were stolen from a leased facility Mass General Hospital for $1 million Loss of PHI via documents left by employee on the subway train UCLA for $865,500 unauthorized access to celebrity PHI by employees 17
18 Recent Tweets
19 Case Study Physical Safeguards Dr. Tresh got his IRB approval to do a study that required collection of data with PHI from the EMR. He was too busy so he had one of his residents Butters, who was not listed on the study, go into the EMR to gather the data for him. Butters didn t have a computer so he used one in a public lounge where the screen could easily be seen by others. When he finished viewing the EMR he forgot to log off, because he was so excited to get the data (that he downloaded onto a mini-hard drive) to Dr. Tresh. Butters couldn t find Dr. Tresh so he left the hard drive in the resident lounge with a note taped to it. Later the cleaners came by to do a sweep and threw away the hard drive because they thought the note said For Trash. What s wrong with this picture? 19
20 Case Study Technical Safeguards Susan was collecting sensitive information for a project on infectious disease and had to send information to an external collaborator at Jon12@research.edu by Wed. On Tuesday she became ill and asked her colleague Jody to send the information for her. She gave Jody her user ID and password to access the database to download the information. Jody went in to the database, downloaded the file and sent the data to Jon21@research.edu through her Gmail account. What s wrong with this picture? 20
21 Encrypt through HS By typing in the words Secure or PHI in the subject line Or clicking on the Encrypt and send (Zixmail) button when you send 21
22 Device Encryption Mobile devices = Laptops, tablets, removable portable hard drives, USB/thumb drives, smart phones, etc. To check that a device is using HS encryption, verify that the Sophos Safeguard icon is located within the system tray 22
23 Scenario: A laptop containing PHI of 500+ individuals was stolen Non-encrypted = Vs. Information not adequately protected Internal investigation Notification of media Notification of individuals of breach & call center set up External investigations Excess man hours dedicated to issue Encrypted = Information protected Internal investigation Minimal man hours dedicated to issues 23
24 Case Study Administrative Safeguards Pip was gathering data for a neonatal study she was doing at her facility. She created a folder on her desktop called the Newbie Study and files were saved in the folder on her C:\ drive. Later that year a tornado had ripped apart her office and destroyed her computer. She was not aware of any disaster recovery plan for her facility and did not have a backup to her study data. What s wrong with this picture? 24
25 Save Data on Health System Servers Create shared folders on health system servers with limited access (study team only) Do not save on your C:\ drive that is only your local computer Files saved on HS servers are backed up regularly Terminate access to folders and databases accordingly 25
26 Image from: 26
27 Case Study Administrative Safeguards Casper had a lot of data that he was collecting for his clinical trial and found a great cloud storage vendor that offered remarkably low prices. He decided to go with them and paid out of pocket for their services since he didn t want to bother going through internal channels it took too long. 4 months later the vendor went out of business and he couldn t access his data. He later read in the news that a hacker had stolen all the data from the vendor, which is why they shut down. They didn t have any other backup to their data. What s wrong with this picture? 27
28 Impact of the HITECH Act Health Information Technology for Economic and Clinical Health Act Security provisions including notification of patients & HHS of security breaches Increased penalties for violations of HIPAA rules with a max penalty of $1.5 million Applies HIPAA to business associates Mandates HIPAA audits 28
29 Impact of the Final Omnibus HIPAA Rule 2013 changes to HIPAA & HITECH include: New data breach standard that presumes that security of PHI is compromised if it is misused More aggressive OCR enforcement and fines Applies HIPAA to subcontractors of business associates = Greater liability and compliance requirements
30 HIPAA Breach Analysis Requires a new risk assessment that includes: 1. The nature and extent of the PHI involved 2. Recipient of the PHI 3. Whether the PHI was actually acquired or viewed 4. Extent to which the risk was mitigated following unauthorized disclosure 30
31 What About Our Business Associates? Business associate (BA) = Person or organization outside of HS workforce who provides services to HS that involve the use or disclosure of PHI E.g. claims processing, billing, medical record delivery, data analysis, quality assurance reviews Agreements with business associates must include protections for the PHI and cannot let the business associate do anything that would violate HIPAA HIPAA extends to subcontractors 31
32 Why Is It Important? 32
33 Polluted Medical Record 33
34 Protect Mobile Devices Regardless of whether the mobile device is Personally owned, bring your own device (BYOD) Provided by our organization Dispose of USB drives and other media that may contain PHI Call the Help Desk for assistance Take the Steps to Protect and Secure Health Information When Using a Mobile Device 34
35 What Not To Do With Your Mobile Devices Share your mobile device password or user authentication Allow use of your mobile device by unauthorized users Store or send unencrypted health information with your mobile device Ignore mobile device security software updates Download applications (apps) without verifying they are from a trusted source Leave your mobile device unattended Use an unsecured Wi-Fi network Discard your mobile device without first deleting all stored information Ignore our mobile device policies and procedures 35
36 Be Cautious When Using Social Media Image from 36
37 What Else? Huping Zhou, a researcher for UCLA Healthcare System was accused of accessing electronic health care records without authorization for 323 patient records including actors. NAME THAT PUNISHMENT! 37
38 Protect Sensitive Information Do not collect social security numbers and medicare numbers unless absolutely necessary NYS law requires strict protection of this information If you collect this information you are now burdened with the responsibility of protecting this information This information can be masked in databases 38
39 Mailing/ ing Checklist Carefully check name and address of intended recipient. Many names are similar; make sure you have the correct name for the intended recipient on the envelope or the to line. Make sure the address on the envelope matches the correct address of the intended recipient. Carefully check the contents before sealing the envelope or hitting send. Make sure the contents may be permissibly disclosed to the intended recipient or properly relate to the individual. Check all pages to make sure records or material related to other individuals are not mistakenly included. Check the information showing on the outside of the envelope or through the address window. Make sure identifying information that is not necessary to ensure proper delivery is not disclosed. 39
40 Faxing, Scan/ ing Checklist Carefully check the fax number/ address to make sure you have the correct information for the intended recipient. When manually entering the number/ , check to see that it has been entered correctly before sending. Confirm fax number/ address with the intended recipient when sending to party for the first time or if sent infrequently. Program regularly used numbers into fax machines. Check to make sure you are selecting the preprogrammed number for the correct party before sending. Update fax numbers promptly upon receipt of notification of correction or change. Have procedures for deleting outdated or unused numbers which are preprogrammed into the fax machine. 40
41 Faxing, Scan/ ing Checklist (Cont d) Locate fax machines/scanners in areas where access can be monitored and controlled and avoid leaving patient information on machines after sending. Have policies and procedures in place to safeguard protected health information that is faxed/scanned, including processes to act promptly on (1) changes in fax numbers/ s to ensure corrections are made in all the relevant records; and (2) reports of a misdirected fax/ to identify the cause and take steps to prevent future incidents, including revising the organization s policies and procedures. Train staff on the policies and procedures for the proper use of fax machines/scanners that your organization has put in place to safeguard protected health information. Update training periodically and be sure to train new staff. 41
42 Resources Available Research Resources: ORC Web Site: Under Tools and Guidance/ Electronic Security ephi Security Guidance HIPAA Compliance and Microsoft Applications Microsoft Applications Delegation and Access Log ephi Security Tips 42
43 Secure IT Card 43
44 HS Resources Available IS Web Site 44
45 HS Resources Available Health System Policies related to IT privacy and security: Under Information Services Policies and Procedures Be aware of the following policies (including but not limited to): Computer Usage Policy Disaster Planning and Operations Policy Data Encryption and Integrity Policy Device and Media Control Policy 45
46 OCR web site: 46
47 Thank You! Contact Us for Questions Research Compliance General: (516) / orc@nshs.edu Emmelyn Kim: (516) / ekim@nshs.edu Corporate Compliance General: (516) / Debbie Wright: (516) / dwright3@nshs.edu 47
HIPAA ephi Security Guidance for Researchers
What is ephi? ephi stands for Electronic Protected Health Information (PHI). It is any PHI that is stored, accessed, transmitted or received electronically. 1 PHI under HIPAA means any information that
More informationOCR UPDATE Breach Notification Rule & Business Associates (BA)
OCR UPDATE Breach Notification Rule & Business Associates (BA) Alicia Galan Supervisory Equal Opportunity Specialist March 7, 2014 HITECH OMNIBUS A Reminder of What s Included: Final Modifications of the
More informationAre You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style.
Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style March 27, 2013 www.mcguirewoods.com Introductions Holly Carnell McGuireWoods LLP
More informationOCR Reports on the Enforcement. Learning Objectives 4/1/2013. HIPAA Compliance/Enforcement (As of December 31, 2012) HCCA Compliance Institute
OCR Reports on the Enforcement of the HIPAA Rules HCCA Compliance Institute April 22, 2013 David Holtzman Sr. Health IT & Privacy Specialist U.S. Department of Health and Human Services Office for Civil
More informationOCR Reports on the Enforcement. Learning Objectives
OCR Reports on the Enforcement of the HIPAA Rules HCCA Compliance Institute April 22, 2013 David Holtzman Sr. Health IT & Privacy Specialist U.S. Department of Health and Human Services Office for Civil
More informationTrust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits
HIPAA Breaches, Security Risk Analysis, and Audits Derrick Hill Senior Health IT Advisor Kentucky REC Why Does Privacy and Security Matter? Trust Who Must Comply with HIPAA Rules? Covered Entities (CE)
More informationUnderstanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions
Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions Table of Contents Understanding HIPAA Privacy and Security... 1 What
More informationHIPAA Privacy & Breach Notification Training for System Administration Business Associates
HIPAA Privacy & Breach Notification Training for System Administration Business Associates Barbara M. Holthaus privacyofficer@utsystem.edu Office of General Counsel University of Texas System April 10,
More informationMobile Medical Devices and BYOD: Latest Legal Threat for Providers
Presenting a live 90-minute webinar with interactive Q&A Mobile Medical Devices and BYOD: Latest Legal Threat for Providers Developing a Comprehensive Usage Strategy to Safeguard Health Information and
More informationWhat do you need to know?
What do you need to know? DISCLAIMER Please note that the information provided is to inform our clients and friends of recent HIPAA and HITECH act developments. It is not intended, nor should it be used,
More informationPresented by Jack Kolk President ACR 2 Solutions, Inc.
HIPAA 102 : What you don t know about the new changes in the law can hurt you! Presented by Jack Kolk President ACR 2 Solutions, Inc. Todays Agenda: 1) Jack Kolk, CEO of ACR 2 Solutions a information security
More informationHIPAA TRAINING. A training course for Shiawassee County Community Mental Health Authority Employees
HIPAA TRAINING A training course for Shiawassee County Community Mental Health Authority Employees WHAT IS HIPAA? HIPAA is an acronym that stands for Health Insurance Portability and Accountability Act.
More informationSecurity Is Everyone s Concern:
Security Is Everyone s Concern: What a Practice Needs to Know About ephi Security Mert Gambito Hawaii HIE Compliance and Privacy Officer July 26, 2014 E Komo Mai! This session s presenter is Mert Gambito
More informationHIPAA Compliance Guide
HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care
More informationWhy Lawyers? Why Now?
TODAY S PRESENTERS Why Lawyers? Why Now? New HIPAA regulations go into effect September 23, 2013 Expands HIPAA safeguarding and breach liabilities for business associates (BAs) Lawyer is considered a business
More information2014 Core Training 1
2014 Core Training 1 Course Agenda Review of Key Privacy Laws/Regulations: Federal HIPAA/HITECH regulations State privacy laws Privacy & Security Policies & Procedures Huntsville Hospital Health System
More information8/3/2015. Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice
Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice Monday, August 3, 2015 1 How to ask a question during the webinar If you dialed in to this webinar on your phone
More informationHot Topics in IT Security PREP#28 May 1, 2014. David Woska, Ph.D. OCIO Security
Hot Topics in IT Security PREP#28 May 1, 2014 David Woska, Ph.D. OCIO Security CME Disclosure Statement The North Shore LIJ Health System adheres to the ACCME s new Standards for Commercial Support. Any
More informationINFORMATION SECURITY & HIPAA COMPLIANCE MPCA
INFORMATION SECURITY & HIPAA COMPLIANCE MPCA Annual Conference August 5, 201 Agenda 1 HIPAA 2 The New Healthcare Paradigm Internal Compliance 4 Conclusion 2 1 HIPAA 1 Earning Their Trust 4 HIPAA 5 Health
More informationHeather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com
Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com HIPAA Privacy Rule Sets standards for confidentiality and privacy of individually
More informationCREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy
CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy Amended as of February 12, 2010 on the authority of the HIPAA Privacy Officer for Creative Solutions in Healthcare, Inc. TABLE OF CONTENTS ARTICLE
More informationWelcome to ChiroCare s Fourth Annual Fall Business Summit. October 3, 2013
Welcome to ChiroCare s Fourth Annual Fall Business Summit October 3, 2013 HIPAA Compliance Regulatory Overview & Implementation Tips for Providers Agenda Green packet Overview of general HIPAA terms and
More informationHIPAA PRIVACY AND SECURITY AWARENESS. Covering Kids and Families of Indiana April 10, 2014
HIPAA PRIVACY AND SECURITY AWARENESS Covering Kids and Families of Indiana April 10, 2014 GOALS AND OBJECTIVES The goal is to provide information to you to promote personal responsibility and behaviors
More informationHIPAA WEBINAR HANDOUT
HIPAA WEBINAR HANDOUT OCR Enforcement Tools Voluntary corrective action Resolution Agreement and Payment CMPs Referral to DOJ for criminal investigation Resolution Agreements Contract signed by HHS and
More informationHIPAA Policy, Protection, and Pitfalls ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS
HIPAA Policy, Protection, and Pitfalls Overview HIPAA Privacy Basics What s covered by HIPAA privacy rules, and what isn t? Interlude on the Hands-Off Group Health Plan When does this exception apply,
More informationHIPAA Compliance Guide
HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care
More informationLessons Learned from HIPAA Audits
Lessons Learned from HIPAA Audits October 29, 2012 Tony Brooks, CISA, CRISC Partner - IT Assurance and Risk Services HORNE LLP AGENDA HIPAA/HITECH Regulations Breaches and Fines OCR HIPAA/HITECH Compliance
More informationWhite Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES
White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES CONTENTS Introduction 3 Brief Overview of HIPPA Final Omnibus Rule 3 Changes to the Definition of Business Associate
More informationHIPAA Training for Staff and Volunteers
HIPAA Training for Staff and Volunteers Objectives Explain the purpose of the HIPAA privacy, security and breach notification regulations Name three patient privacy rights Discuss what you can do to help
More informationHIPAA: Protecting Your. Ericka L. Adler. Practice and Your Patients
HIPAA: Protecting Your Ericka L. Adler Practice and Your Patients Rachel V. Rose Fallout from the Omnibus Rule Compliance strategies for medical practices 1. Know / manage your business associates and
More informationStatement of Policy. Reason for Policy
Table of Contents Statement of Policy 2 Reason for Policy 2 HIPAA Liaison 2 Individuals and Entities Affected by Policy 2 Who Should Know Policy 3 Exclusions 3 Website Address for Policy 3 Definitions
More informationOCR/HHS HIPAA/HITECH Audit Preparation
OCR/HHS HIPAA/HITECH Audit Preparation 1 Who are we EHR 2.0 Mission: To assist healthcare organizations develop and implement practices to secure IT systems and comply with HIPAA/HITECH regulations. Education
More informationHIPAA Enforcement. Emily Prehm, J.D. Office for Civil Rights U.S. Department of Health and Human Services. December 18, 2013
Office of the Secretary Office for Civil Rights () HIPAA Enforcement Emily Prehm, J.D. Office for Civil Rights U.S. Department of Health and Human Services December 18, 2013 Presentation Overview s investigative
More informationIRB Month Investigator Meeting April 2014
April 2014 AUDITS TRENDS EMR COMPLIANCE PRACTICES EMR FEDERAL REGULATIONS MONITORING REGULATORY SECURITY THREATS ACADEMI CINA BREACHES REVIEW COMPUTING MOBILE CLOUD HIPAA CENTER OPERATION S RESEARCH C
More informationHIPAA compliance audit: Lessons learned apply to dental practices
HIPAA compliance audit: Lessons learned apply to dental practices Executive summary In 2013, the Health Insurance Portability and Accountability Act (HIPAA) of 1996 Omnibus Rule put healthcare providers
More informationHIPAA: Bigger and More Annoying
HIPAA: Bigger and More Annoying Instructor: Laney Kay, JD Contact information: 4640 Hunting Hound Lane Marietta, GA 30062 (770) 312-6257 (770) 998-9204 (fax) laney@laneykay.com www.laneykay.com OFFICIAL
More informationUnderstanding HIPAA Regulations and How They Impact Your Organization!
Understanding HIPAA Regulations and How They Impact Your Organization! Presented by: HealthInfoNet & Systems Engineering! April 25 th 2013! Introductions! Todd Rogow Director of IT HealthInfoNet Adam Victor
More informationWhat s New with HIPAA? Policy and Enforcement Update
What s New with HIPAA? Policy and Enforcement Update HHS Office for Civil Rights New Initiatives Precision Medicine Initiative (PMI), including Access Guidance Cybersecurity Developer portal NICS Final
More informationHIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing
HIPAA Omnibus Rule Practice Impact Kristen Heffernan MicroMD Director of Prod Mgt and Marketing 1 HIPAA Omnibus Rule Agenda History of the Rule HIPAA Stats Rule Overview Use of Personal Health Information
More informationTHE HIPAA TANGO CHOREOGRAPHING PRIVACY AND SECURITY UNDER THE FINAL RULE
THE HIPAA TANGO CHOREOGRAPHING PRIVACY AND SECURITY UNDER THE FINAL RULE The Speakers Cinda Velasco Attorney, Manager, Privacy Officer Patient Safety and Risk Management Trish Lugtu Senior Manager MMIC
More informationPREP Course #25: Hot Topics in Cyber Security and Database Security. Presented by: Joe Baskin Manager, Information Security, OCIO JBaskin@nshs.
PREP Course #25: Hot Topics in Cyber Security and Database Security Presented by: Joe Baskin Manager, Information Security, OCIO JBaskin@nshs.edu Objectives Discuss hot topics in cyber security and database
More informationPrivacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by:
HIPAA Privacy Officer Orientation Presented by: Cathy Montgomery, RN Privacy Officer Job Description Serve as leader Develop Policies and Procedures Train staff Monitor activities Manage Business Associates
More informationBUSINESS ASSOCIATE AGREEMENT HIPAA Protected Health Information
BUSINESS ASSOCIATE AGREEMENT HIPAA Protected Health Information I. PREAMBLE ( Covered Entity ) and ( Business Associate ) (jointly the Parties ) wish to enter into an Agreement to comply with the requirements
More informationOverview of the HIPAA Security Rule
Office of the Secretary Office for Civil Rights () Overview of the HIPAA Security Rule Office for Civil Rights Region IX Alicia Cornish, EOS Sheila Fischer, Supervisory EOS Topics Upon completion of this
More informationPage 1. NAOP HIPAA and Privacy Risks 3/11/2014. Privacy means being able to have control over how your information is collected, used, or shared;
Page 1 National Organization of Alternative Programs 2014 NOAP Educational Conference HIPAA and Privacy Risks Ira J Rothman, CPHIMS, CIPP/US/IT/E/G Senior Vice President - Privacy Official March 26, 2014
More informationHIPAA Privacy and Security
HIPAA Privacy and Security Cindy Cummings, RHIT February, 2015 1 HIPAA Privacy and Security The regulation is designed to safeguard Protected Health Information referred to PHI AND electronic Protected
More information2011 2012 Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec.
The OCR Auditors are coming - Are you next? What to Expect and How to Prepare On June 10, 2011, the U.S. Department of Health and Human Services Office for Civil Rights ( OCR ) awarded KPMG a $9.2 million
More informationHIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist
HIPAA Omnibus Rule Overview Presented by: Crystal Stanton MicroMD Marketing Communication Specialist 1 HIPAA Omnibus Rule - Agenda History of the Omnibus Rule What is the HIPAA Omnibus Rule and its various
More informationHIPAA Compliance for Students
HIPAA Compliance for Students The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 by the United States Congress. It s intent was to help people obtain health insurance benefits
More informationEverett School Employee Benefit Trust. Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law
Everett School Employee Benefit Trust Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law Introduction The Everett School Employee Benefit Trust ( Trust ) adopts this policy
More informationNationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011
Nationwide Review of CMS s HIPAA Oversight Brian C. Johnson, CPA, CISA Wednesday, January 19, 2011 1 WHAT I DO Manage Region IV IT Audit and Advance Audit Technique Staff (AATS) IT Audit consists of 8
More informationDatto Compliance 101 1
Datto Compliance 101 1 Overview Overview This document provides a general overview of the Health Insurance Portability and Accounting Act (HIPAA) compliance requirements for Managed Service Providers (MSPs)
More informationHIPAA Security Alert
Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information
More informationLessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd
Lessons Learned from Recent HIPAA and Big Data Breaches Briar Andresen Katie Ilten Ann Ladd Recent health care breaches Breach reports to OCR as of February 2015 1,144 breaches involving 500 or more individual
More informationHIPAA Privacy and Security Rules: A Refresher. Marilyn Freeman, RHIA California Area HIPAA Coordinator California Area HIM Consultant
HIPAA Privacy and Security Rules: A Refresher Marilyn Freeman, RHIA California Area HIPAA Coordinator California Area HIM Consultant Objectives Provide overview of Health insurance Portability and Accountability
More informationData Security Considerations for Research
Data Security Considerations for Research Institutional Review Board Annual Education May 8, 2012 1 PRIVACY vs. SECURITY What s the Difference?: PRIVACY Refers to WHAT is protected Health information about
More informationThe Basics of HIPAA Privacy and Security and HITECH
The Basics of HIPAA Privacy and Security and HITECH Protecting Patient Privacy Disclaimer The content of this webinar is to introduce the principles associated with HIPAA and HITECH regulations and is
More informationDonna S. Sheperis, PhD, LPC, NCC, CCMHC, ACS Sue Sadik, PhD, LPC, NCC, BC-HSP Carl Sheperis, PhD, LPC, NCC, MAC, ACS
Donna S. Sheperis, PhD, LPC, NCC, CCMHC, ACS Sue Sadik, PhD, LPC, NCC, BC-HSP Carl Sheperis, PhD, LPC, NCC, MAC, ACS 1 DISCLAIMER Please review your own documentation with your attorney. This information
More informationThis presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in
This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in the HIPAA Omnibus Rule of 2013. As part of the American
More informationHIPAA: Breach Notification By: Office of University Counsel For: Jefferson IRB Continuing Education. September 2014
HIPAA: Breach Notification By: Office of University Counsel For: Jefferson IRB Continuing Education September 2014 Introduction The HIPAA Privacy Rule establishes the conditions under which Covered Entities
More informationArt Gross President & CEO HIPAA Secure Now! How to Prepare for the 2015 HIPAA Audits and Avoid Data Breaches
Art Gross President & CEO HIPAA Secure Now! How to Prepare for the 2015 HIPAA Audits and Avoid Data Breaches Speakers Phillip Long CEO at Business Information Solutions Art Gross President & CEO of HIPAA
More informationHIPAA Risk Assessments for Physician Practices
HIPAA Risk Assessments for Physician Practices Eric Sandhusen Corporate Compliance Director and Privacy Officer Lloyd Torres Director of Ambulatory HIM DISCLAIMER The statements and opinions presented
More informationCommunity First Health Plans Breach Notification for Unsecured PHI
Community First Health Plans Breach Notification for Unsecured PHI The presentation is for informational purposes only. It is the responsibility of the Business Associate to ensure awareness and compliance
More informationHIPAA 101. March 18, 2015 Webinar
HIPAA 101 March 18, 2015 Webinar Agenda Acronyms to Know HIPAA Basics What is HIPAA and to whom does it apply? What is protected by HIPAA? Privacy Rule Security Rule HITECH Basics Breaches and Responses
More informationHIPAA. New Breach Notification Risk Assessment and Sanctions Policy. Incident Management Policy. Focus on: For breaches affecting 1 3 individuals
HIPAA New Breach Notification Risk Assessment and Sanctions Policy Incident Management Policy For breaches affecting 1 3 individuals +25 individuals + 500 individuals Focus on: analysis documentation PHI
More informationHIPAA 101: Privacy and Security Basics
HIPAA 101: Privacy and Security Basics Purpose This document provides important information about Kaiser Permanente policies and state and federal laws for protecting the privacy and security of individually
More informationBuilding a Culture of Health Care Privacy Compliance
Building a Culture of Health Care Privacy Compliance September 10, 2014 Presented by: Gerry Hinkley, Partner, Pillsbury Greg Radinsky, VP & Chief Corporate Compliance, North Shore - LIJ Wendy Maneval,
More information6/17/2013 PRESENTED BY: Updates on HIPAA, Data, IT and Security Technology. June 25, 2013
Updates on HIPAA, Data, IT and Security Technology June 25, 2013 1 The material appearing in this presentation is for informational purposes only and should not be construed as advice of any kind, including,
More informationSomansa Data Security and Regulatory Compliance for Healthcare
Somansa White Paper Somansa Data Security and Regulatory Compliance for Healthcare How Somansa can protect ephi- electronic patient health information and meet the requirements for healthcare compliances,
More informationHIPAA Privacy. September 21, 2013
HIPAA Privacy September 21, 2013 HIPAA Privacy Workforce Training The Health Insurance Portability & Accountability Act (HIPAA) requires that the University train all workforce members (faculty, staff,
More informationData Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, 2014 2:15pm 3:30pm
Electronic Health Records: Data Security and Integrity of e-phi Worcester, MA Wednesday, 2:15pm 3:30pm Agenda Introduction Learning Objectives Overview of HIPAA HIPAA: Privacy and Security HIPAA: The Security
More informationHIPAA and the HITECH Act Privacy and Security of Health Information in 2009
HIPAA and the HITECH Act Privacy and Security of Health Information in 2009 What is HIPAA? Health Insurance Portability & Accountability Act of 1996 Effective April 13, 2003 Federal Law HIPAA Purpose:
More informationBreaches Happen: Protect Your Patients, Your Research and You
Breaches Happen: Protect Your Patients, Your Research and You Kathryn Schuff, MD, MCR Chair, OHSU IRB John Rasmussen, MA Chief Information Security Officer The Intersection of Research and Privacy: Purpose
More informationHHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers
Compliance Tip Sheet National Hospice and Palliative Care Organization www.nhpco.org/regulatory HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers Hospice Provider Compliance To Do List
More informationNCHICA HITECH Act Breach Notification Risk Assessment Tool. Prepared by the NCHICA Privacy, Security & Legal Officials Workgroup
NCHICA HITECH Act Breach Notification Risk Assessment Tool Prepared by the NCHICA Privacy, Security & Legal Officials Workgroup NORTH CAROLINA HEALTHCARE INFORMATION AND COMMUNICATIONS ALLIANCE, INC August
More informationUniversity Healthcare Physicians Compliance and Privacy Policy
Page 1 of 11 POLICY University Healthcare Physicians (UHP) will enter into business associate agreements in compliance with the provisions of the Health Insurance Portability and Accountability Act of
More informationHIPAA and Clinical Research
To Heal. To Teach. To Discover. HIPAA and Clinical Research 2011 Training Jennifer Edlind, UH Privacy Officer Ryan Terry, UH Information Security Officer 1 Agenda Research credentialing overview HIPAA
More informationHIPAA COMPLIANCE AND DATA PROTECTION. sales@eaglenetworks.it +39 030 201.08.25 Page 1
HIPAA COMPLIANCE AND DATA PROTECTION sales@eaglenetworks.it +39 030 201.08.25 Page 1 CONTENTS Introduction..... 3 The HIPAA Security Rule... 4 The HIPAA Omnibus Rule... 6 HIPAA Compliance and EagleHeaps
More informationHealth Insurance Portability and Accountability Act (HIPAA) Overview
Health Insurance Portability and Accountability Act (HIPAA) Overview Agency, Contract and Temporary Staff Orientation Initiated: 5/04, Reviewed: 7/10, Revised: 10/10 Prepared by SHS Administration & Samaritan
More informationToday s Webcast is presented by Michael, also from the DART Team. Michael will provide
Welcome to today s Webcast. Thank you so much for joining us today! My name is Ellie Coombs. I m a member of the DART Team, one of several groups engaged by HAB to provide training and technical assistance
More informationPHI- Protected Health Information
HIPAA Policy 2014 The Health Insurance Portability and Accountability Act is a federal law that protects the privacy and security of patients health information and grants certain rights to patients. Clarkson
More informationMy Docs Online HIPAA Compliance
My Docs Online HIPAA Compliance Updated 10/02/2013 Using My Docs Online in a HIPAA compliant fashion depends on following proper usage guidelines, which can vary based on a particular use, but have several
More informationHIPAA Compliance Issues and Mobile App Design
HIPAA Compliance Issues and Mobile App Design Washington, D.C. April 22, 2015 Presenter: Shannon Hartsfield Salimone, Holland & Knight LLP, Tallahassee and Jacksonville, Florida Agenda Whether HIPAA applies
More informationHIPAA Security Rule Compliance
HIPAA Security Rule Compliance Caryn Reiker MAXIS360 HIPAA Security Rule Compliance what is it and why you should be concerned about it Table of Contents About HIPAA... 2 Who Must Comply... 2 The HIPAA
More informationMobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.
Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information. Mobile Devices: Risks to Health Information Risks vary based on the mobile device and its use. Some risks include:
More informationInformation Security and Privacy. WHAT is to be done? HOW is it to be done? WHY is it done?
Information Security and Privacy WHAT is to be done? HOW is it to be done? WHY is it done? 1 WHAT is to be done? O Be in compliance of Federal/State Laws O Federal: O HIPAA O HITECH O State: O WIC 4514
More informationHIPAA AND MEDICAID COMPLIANCE POLICIES AND PROCEDURES
SALISH BHO HIPAA AND MEDICAID COMPLIANCE POLICIES AND PROCEDURES Policy Name: HIPAA BREACH NOTIFICATION REQUIREMENTS Policy Number: 5.16 Reference: 45 CFR Parts 164 Effective Date: 03/2016 Revision Date(s):
More informationHIPAA Training for Hospice Staff and Volunteers
HIPAA Training for Hospice Staff and Volunteers Hospice Education Network Objectives Explain the purpose of the HIPAA privacy and security regulations Name three patient privacy rights Discuss what you
More informationACCOUNTABLE HEALTHCARE IPA HIPAA PRIVACY AND SECURITY TRAINING. By: Jerry Jackson Compliance and Privacy Officer
ACCOUNTABLE HEALTHCARE IPA HIPAA PRIVACY AND SECURITY TRAINING By: Jerry Jackson Compliance and Privacy Officer 1 1 Introduction Welcome to Privacy and Security Training course. This course will help you
More informationHIPAA Privacy and Security and Research
ICTS Brown Bag Seminar Successful Completion: Participants must complete an evaluation form to receive a certificate of completion Contact Hours: 1 contact hours is available to those who meet the successful
More informationHIPAA Privacy and Security. Rochelle Steimel, HIPAA Privacy Official Judy Smith, Staff Development January 2012
HIPAA Privacy and Security Rochelle Steimel, HIPAA Privacy Official Judy Smith, Staff Development January 2012 Goals and Objectives Course Goal: To introduce the staff of Munson Healthcare to the concepts
More informationEnforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance
Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance Iliana Peters, JD, LLM, HHS Office for Civil Rights Kevin
More informationHealth Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know
Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know Note: Information provided to NCRA by Melodi Gates, Associate with Patton Boggs, LLC Privacy and data protection
More informationNetwork Security for End Users in Health Care
Network Security for End Users in Health Care Virginia Health Information Technology Regional Extension Center is funded by grant #90RC0022/01 from the Office of the National Coordinator for Health Information
More informationWhen HHS Calls, Will Your Plan Be HIPAA Compliant?
When HHS Calls, Will Your Plan Be HIPAA Compliant? Petula Workman, J.D., CEBS Division Vice President Compliance Counsel Gallagher Benefit Services, Inc., Sugar Land, Texas The opinions expressed in this
More informationMobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.
Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information. Mobile Devices: Risks to to Health Mobile Information Devices: Risks to Health Information Risks vary based on the
More informationWelcome to the University of Utah Health Sciences HIPAA Privacy and Security Training Program
Welcome to the University of Utah Health Sciences HIPAA Privacy and Security Training Program You cannot have Privacy without Security. Requirements of All UUHS Workforce Members ALL University of Utah
More informationHIPAA Final Rule Changes
HIPAA Final Rule Changes What you need to know and do now Presented by Lucy A. Homans, Ed.D WSPA Director of Professional Affairs Prepared by the APA Practice Organization Introduction January 2013: U.S.
More informationThe Department of Health and Human Services Privacy Awareness Training. Fiscal Year 2015
The Department of Health and Human Services Privacy Awareness Training Fiscal Year 2015 Course Objectives At the end of the course, you will be able to: Define privacy and explain its importance. Identify
More information