Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE

Size: px
Start display at page:

Download "Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE"

Transcription

1 Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE

2 [ Hosting for Healthcare: Addressing the Unique Issues of Health IT & Achieving End-to-End Compliance ] ii CONTENTS OVERVIEW...1 ADDRESSING THE UNIQUE ISSUES OF HEALTHCARE...3 THE CONSEQUENCES OF NOT COMPLYING...5 THE RISK OF A DATA BREACH...6 PARTNERING TO ACHIEVE END-TO-END COMPLIANCE...7

3 [ Hosting for Healthcare: Addressing the Unique Issues of Health IT & Achieving End-to-End Compliance ] 1 OVERVIEW As those that work in healthcare IT know, the healthcare industry has some of the most complex IT needs of all industries that exist today. However, HIPAA and related healthcare IT requirements are some of the most nonprescriptive in the IT space, especially when compared to other standards such as PCI, which is used to protect payment card information in financial services organizations. With more than 14 million individuals employed in the industry in the United States, protecting the privacy and confidentiality of a patients electronic medical health records from unauthorized access is paramount to achieving compliance with federal regulatory laws such as the Healthcare Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health (HITECH) Act, the American Recovery and Reinvestment Act and other laws that apply to healthcare organizations.

4 [ Hosting for Healthcare: Addressing the Unique Issues of Health IT & Achieving End-to-End Compliance ] 2 Organizations subject to HIPAA, referred to as covered entities, or organizations delivering services to covered entities, known as business associates per the HITECH Act include: Healthcare providers such as doctors, hospitals, etc. Healthcare insurance and health plan clearinghouses Businesses who self-insure Businesses that sponsor a group health plan and provide assistance to their employees on medical coverage Businesses that deliver services to other healthcare providers Per these regulatory laws, covered entities and business associates are required to ensure the following safeguards on patient data in order to remain compliant: Administrative safeguards to protect data integrity, confidentiality and availability of electronic protected health information (ephi) Physical safeguards to protect data integrity, confidentiality and availability of ephi Technical safeguards to protect data integrity, confidentiality and availability of ephi Meeting this array of requirements demands healthcare entities set up strong processes, methods and controls to assure auditors that security and integrity of PHI and ephi is guaranteed, all while EHR are beginning to be used. In addition, the HITECH Act was signed into law in 2009 and increases the use of Electronic Health Records (EHR) by physicians and hospitals. The Medicare EHR Incentive Program began in 2011, through which eligible healthcare providers are offered financial incentives for adopting, implementing, upgrading or demonstrating meaningful use of EHR. The incentive payments will continue through 2016, which is the last year to begin participation in the program. Beginning in 2015, penalties may be levied for failing to demonstrate meaningful use. Incentives will be offered until 2015, after which time penalties may be levied for failing to demonstrate such use. The Medicaid EHR Incentive Program s incentive payments will continue through 2021, however the last year that an eligible healthcare professional can begin participation in the program will be Meeting this array of requirements demands healthcare entities set up strong processes, methods and controls to assure auditors that security and integrity of PHI and ephi is guaranteed, all while EHR are being used. Maintaining the security of patient data is a complex proposition that affects every employee of a healthcare facility, every area of its IT system, and all vendors, partners and insurers that work with the healthcare provider. These requirements become even more complex when organizations work with the single largest healthcare program in the world, TRICARE. TRICARE is the healthcare program serving uniformed service members, retirees and their families worldwide. Now, not only are healthcare organizations required to protect PHI and ephi, they re also required to support civilian and DoD IT requirements FISMA and DIACAP.

5 [ Hosting for Healthcare: Addressing the Unique Issues of Health IT & Achieving End-to-End Compliance ] 3 Addressing the Unique Issues of Healthcare To ensure PHI and ephi, covered entities and business associates must abide by the following standards. REQUIREMENT 1. Breach Notification Policy 2. Security Management Process 3. Risk Analysis DESCRIPTION Define how Covered Entity will respond to security and/or privacy incidents or suspected privacy and/or security incidents that result in a breach. Describes processes the organization implements to prevent, detect, contain and correct security violations relative to its ephi. Discusses what the organization should do to identify, define and prioritize risks to the confidentiality, integrity and availability of its ephi. 4. Risk Management Defines what the organization should do to reduce the risks to its ephi to reasonable and appropriate levels. 5. Sanction Policy Indicates actions that are to be taken against employees who do not comply with organizational security policies and procedures. 6. Information System Activity Review Describes processes for regular organizational review of activity on its information systems containing ephi. 7. Assigned Security Responsibility Describes the requirements for the responsibilities of the Information Security Officer. 8. Workforce Security 9. Authorization and/or Supervision Describes what the organization should do to ensure ephi access occurs only by employees who have been appropriately authorized. Identifies what the organization should do to ensure that all employees who can access its ephi are appropriately authorized or supervised. 10. Workforce Clearance Procedure Reviews what the organization should do to ensure that employee access to its ephi is appropriate. 11. Termination Procedures Defines what the organization should do to prevent unauthorized access to its ephi by former employees. 12. Information Access Management Indicates what the organization should do to ensure that only appropriate and authorized access is made to its ephi. 13. Access Authorization Defines how the organization provides authorized access to its ephi. 14. Access Establishment and Modification Discusses what the organization should do to establish, document, review and modify access to its ephi. 15. Security Awareness & Training Describes elements of the organizational program for regularly providing appropriate security training and awareness to its employees. 16. Security Reminders Defines what the organization should do to provide ongoing security information and awareness to its employees. 17. Protection from Malicious Software 18. Log-in Monitoring 19. Password Management 20. Security Incident Procedures Indicates what the organization should do to provide regular training and awareness to its employees about its process for guarding against, detecting and reporting malicious software. Discusses what the organization should do to inform employees about its process for monitoring log-in attempts and reporting discrepancies. Describes what the organization should do to maintain an effective process for appropriately creating, changing and safeguarding passwords. Discusses what the organization should do to maintain a system for addressing security incidents that may impact the confidentiality, integrity or availability of its ephi. 21. Response and Reporting Defines what the organization should do to be able to effectively respond to security incidents involving its ephi. 22. Contingency Plan Identifies what the organization should do to be able to effectively respond to emergencies or disasters that impact its ephi. 23. Data Backup Plan Discusses organizational processes to regularly back up and securely store ephi. 24. Disaster Recovery Plan 25. Emergency Mode Operation Plan 26. Testing and Revision Procedure 27. Applications and Data Criticality Analysis 28. Evaluation 29. Business Associate Contracts and Other Arrangements 30. Facility Access Controls Indicates what the organization should do to create a disaster recovery plan to recover ephi that was impacted by a disaster. Discusses what the organization should do to establish a formal, documented emergency mode operations plan to enable the continuance of crucial business processes that protect the security of its ephi during and immediately after a crisis situation. Describes what the organization should do to conduct regular testing of its disaster recovery plan to ensure that it is up-to-date and effective. Reviews what the organization should do to have a formal process for defining and identifying the criticality of its information systems. Describes what the organization should do to regularly conduct a technical and non-technical evaluation of its security controls and processes in order to document compliance with its own security policies and the HIPAA Security Rule. Describes how to establish agreements that should exist between the organization and its various business associates that create, receive, maintain or transmit ephi on its behalf. Describes what the organization should do to appropriately limit physical access to the information systems contained within its facilities, while ensuring that properly authorized employees can physically access such systems.

6 [ Hosting for Healthcare: Addressing the Unique Issues of Health IT & Achieving End-to-End Compliance ] Contingency Operations 32. Facility Security Plan 33. Access Control and Validation Procedures 34. Maintenance Records Identifies what the organization should do to have formal, documented procedures for allowing authorized employees to enter its facility to take necessary actions as defined in its disaster recovery and emergency mode operations plans. Discusses what the organization should do to establish a facility security plan to protect its facilities and the equipment therein. Discusses what the organization should do to appropriately control and validate physical access to its facilities containing information systems having ephi or software programs that can access ephi. Defines what the organization should do to document repairs and modifications to the physical components of its facilities related to the protection of its ephi. 35. Workstation Use Indicates what the organization should do to appropriately protect its workstations. 36. Workstation Security 37. Device and Media Controls 38. Disposal Reviews what the organization should do to prevent unauthorized physical access to workstations that can access ephi while ensuring that authorized employees have appropriate access. Discusses what the organization should do to appropriately protect information systems and electronic media containing PHI that are moved to various organizational locations. Describes what the organization should do to appropriately dispose of information systems and electronic media containing ephi when it is no longer needed. 39. Media Re-use Discusses what the organization should do to erase ephi from electronic media before re-using the media. 40. Accountability 41. Data Backup and Storage 42. Access Control 43. Unique User Identification 44. Emergency Access Procedure 45. Automatic Logoff 46. Encryption and Decryption 47. Audit Controls Defines what the organization should do to appropriately track and log all movement of information systems and electronic media containing ephi to various organizational locations. Discusses what the organization should do to backup and securely store ephi on its information systems and electronic media. Indicates what the organization should do to purchase and implement information systems that comply with its information access management policies. Discusses what the organization should do to assign a unique identifier for each of its employees who access its ephi for the purpose of tracking and monitoring use of information systems. Discusses what the organization should do to have a formal, documented emergency access procedure enabling authorized employees to obtain required ephi during the emergency. Discusses what the organization should do to develop and implement procedures for terminating users' sessions after a certain period of inactivity on systems that contain or have the ability to access ephi. Discusses what the organization should do to appropriately use encryption to protect the confidentiality, integrity and availability of its ephi. Discusses what the organization should do to record and examine significant activity on its information systems that contain or use ephi. 48. Integrity Defines what the organization should do to appropriately protect the integrity of its ephi. 49. Mechanism to Authenticate Electronic Protected Health Information 50. Person or Entity Authentication 51. Transmission Security 52. Integrity Controls 53. Encryption Discusses what the organization should do to implement appropriate electronic mechanisms to confirm that its ephi has not been altered or destroyed in any unauthorized manner. Defines what the organization should do to ensure that all persons or entities seeking access to its ephi are appropriately authenticated before access is granted. Describes what the organization should do to appropriately protect the confidentiality, integrity and availability of the ephi it transmits over electronic communications networks. Indicates what the organization should do to maintain appropriate integrity controls that protect the confidentiality, integrity and availability of the ephi it transmits over electronic communications networks. Defines what the organization should do to appropriately use encryption to protect the confidentiality, integrity and availability of ephi it transmits over electronic communications networks. 54. Policies and Procedures Defines what the requirements are relative to establishing organizational policies and procedures. 55. Documentation 56. Isolating Healthcare Clearinghouse Function 57. Group Health Plan Requirements 58. Wireless Security Policy 59. Security Policy Discusses what the organization should do to appropriately maintain, distribute and review the security policies and procedures it implements to comply with the HIPAA Security Rule. Purpose is to implement policies and procedures that protect the electronic protected health information of the clearinghouse from unauthorized access by the larger organization. The purpose is to ensure that reasonable and appropriate safeguards are maintained on electronic protected health information created, received, maintained or transmitted to or by the plan sponsor on behalf of the group health plan. The purpose is to implement security measures sufficient to reduce risks and vulnerabilities of the wireless infrastructure. The purpose is to establish management direction, procedure, and requirements to ensure safe and successful delivery of Analog Line Policy The purpose is to explains Company's analog and ISDN line acceptable use and approval policies and procedures. 61. Dial-in Access Policy The purpose is to implement security measures sufficient to reduce risks and vulnerabilities of dial-in connections to the enterprise infrastructure. 62. Automatically Forwarded Policy The purpose is to prevent the unauthorized or inadvertent disclosure of sensitive company information.

7 [ Hosting for Healthcare: Addressing the Unique Issues of Health IT & Achieving End-to-End Compliance ] Remote Access Policy The purpose is to implement security measures sufficient to reduce risks and vulnerabilities of remote access connections to the enterprise infrastructure. 64. Ethics Policy The purpose is to establish a culture of openness, trust and integrity in business practices. 65. VPN Security Policy 66. Extranet Policy 67. Internet DMZ Equipment Policy The purpose is to implement security measures sufficient to reduce the risks and vulnerabilities of the VPN infrastructure. The purpose is to describes the policy under which third party organizations connect to Company's networks for the purpose of transacting business related to Company. The purpose is to define standards to be met by all equipment owned and/or operated by Company located outside Company's corporate Internet firewalls. 68. Network Security Policy The purpose is to establish requirements for information processed by computer networks. The Consequences of Not Complying While complying with HIPAA used to be perceived as optional, the HITECH Act of 2009 gave HIPAA compliance some long-awaited teeth. Today, both HIPAA and the HITECH Act have consistent enforcement under the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Just ask Cignet Health. In 2009, for the first time in history, federal officials issued a civil monetary penalty (CMP) to a healthcare organization for violations of the HIPAA privacy rule. When Cignet Health of Prince George s County, Md. failed to provide 41 patients with access to their medical records and then failed to cooperate with federal investigators, HHS imposed a CMP of $4.3 million for the violations. In a Notice of Proposed Determination issued Oct. 20, 2010, the OCR found that Cignet violated 41 patients rights by denying them access to their medical records when requested between September 2008 and October These patients individually filed complaints with OCR, initiating investigations of each complaint. Because the HIPAA Privacy Rule requires that a covered entity provide a patient with a copy of their medical records within 30 (and no later than 60) days of the patient s request, Cignet s CMP began at $1.3 million. Making matters worse for Cignet, OCR also found that the medical service provider failed to cooperate with OCR s investigations on a continuing daily basis from March 17, 2009, to April 7, OCR found that the failure to cooperate was due to Cignet s willful neglect to comply with the Privacy Rule, which states that covered entities are required under law to cooperate with the Department s investigations. Based on the violation categories and increased penalty amounts authorized by Section 13410(d) of the HITECH Act, Cignet s fine was increased by an additional $3 million. This steep $4.3 million penalty sent a clear message to healthcare entities: HHS is serious about enforcing individual rights guaranteed by HIPAA.

8 [ Hosting for Healthcare: Addressing the Unique Issues of Health IT & Achieving End-to-End Compliance ] 6 The Risk of a Data Breach The Cignet case is of course an extreme, and the organization knowingly violated patient rights, but what about a data breach? Because PHI records typically contain highly personal data such as a person s name, birthdate, Social Security number, insurance information and medical history, it should come of no surprise that healthcare data theft is the fastest growing criminal enterprise today. In fact, according to a recent study by the Ponemon Institute, 90 percent of all healthcare providers say they have had at least one data breach in the last two years, and 38 percent report more than five incidents in the past year 1. According to a recent study by the Ponemon Institute, 90 percent of all healthcare providers say they have had at least one data breach in the last two years, and 38 percent report more than five incidents. 1 The economic impact of an incident tends to cost an average of $2 million per organization over a two-year period. However, not all data breaches are the result of malicious intent. Rather, the vast majority are the result of unintentional actions of employees or thirdparty vendors. From lost or stolen laptops, to misdirected s and faxes, sensitive information can be exposed at any point in the process. And while the cost of healthcare data breaches has been hard to quantify, the economic impact of an incident tends to cost an average of $2 million per organization over a two-year period. In addition to the actual loss of money, most organizations also suffer from time and productivity loss, brand or reputation diminishment and/or loss of patient goodwill, thus resulting in patient churn. 45 percent of organizations have little or no confidence that they have the ability to identify patient data loss or theft. However, 55 percent of organizations are confident that they have the policies and procedures to effectively prevent or quickly detect unauthorized patient data access, loss or theft. 1

9 [ Hosting for Healthcare: Addressing the Unique Issues of Health IT & Achieving End-to-End Compliance ] 7 Partnering to Achieve End-to-end Compliance Ultimately, the Ponemon Institute study 1 revealed the need to strengthen privacy and security to protect patient data. It can often become overwhelming for a healthcare provider to ensure that all systems and processes meet the criteria for HIPAA and the HITECH Act, and even when the minimum criteria are met, it doesn t necessarily mean that PHI is secure. Whether or not it s known that gaps exist, it s still the responsibility of the covered entity or business associate to ensure PHI is protected and that incident response measures are in place so the organization is adequately prepared to handle data breaches. To assist, the National Institute of Standards and Technology (NIST) provides the conformance tests, tools and resources needed to support and test the implementation of standards-based health systems. However, it s still essential for healthcare providers to partner with established, expert and proven services providers who can ensure their migration, implementation and operations and maintenance fulfill their promises. Key skill-sets and assets include: Professional services that go beyond technical proficiency A healthcare-friendly partner with a proven track-record An ability to work seamlessly with other integrators, as well as plug into existing programs (or frame new ones) with minimal start-up efforts An appropriate infrastructure with true physical isolation, from hardened facilities to data vaults and environmental services A Defense-in-Depth approach that includes physical and logical access and policy controls; an environment that supports not just cloud services, but colocation and managed service requirements; and security that goes beyond regulatory or mandated standards, to industry best-ofclass procedures Multiple facility fail-over provisions that support the organization s plan across regions Continuous monitoring, including operational and security staffing that s 24x7x365, as threats don t keep a schedule Compliance for mandates like HIPAA, FISMA, PCI DSS, and DIACAP, so there s no question of coverage for any application or data environment within that infrastructure Carpathia understands the challenges IT security professionals face in managing risk and securing information. As a trusted cloud operator, we enable our customers to have the confidence that they are able to comply with HIPAA/HITECH obligations. Our industry-leading solutions can allow healthcare customers to experience end-to-end compliance in the hosting environment that best suits their needs. 1

10 [ Hosting for Healthcare: Addressing the Unique Issues of Health IT & Achieving End-to-End Compliance ] 8 Since HIPAA is not a prescriptive set of IT standards, it s very key that the IT service provider working with a healthcare organization selects an established baseline to build policy from. Carpathia has elected to follow many of the same controls and requirements used in federal IT systems (FISMA). These are derived from NIST special publications in the 800 series of documents, which has the additional benefit of systems that meet both FISMA and DIACAP requirements should the organization start delivering services to the government. Our data center footprint includes North America, Europe and Asia, providing comprehensive solutions for networks, servers and storage equipment. Carpathia s 64,000 sq. ft., 7.3 MW IBX Vault data center in Dulles, VA was designed to deliver cloud, managed hosting and colocation solutions for both healthcare and federal agencies. It was built to exceed Tier 3 standards and provides the environment healthcare entities need to keep patient data safe it is among the most connected and secure data centers in the industry. Carpathia has historical precedence in engineering and hosting HIPAA compliant systems for medium and small companies, system integrators, development companies and small A8 business. Customers rely on Carpathia s compliance experience and expertise to ensure their information systems achieve and maintain healthcare compliance mandates throughout the lifecycle of their systems. Our HIPAA-compliant hosting services are built on our trusted private cloud operator platform and are designed to support multiple deployment models, offering flexibility and managed servers that provide scalability. Carpathia is a trusted cloud operator with over a decade of managed hosting experience serving covered entities, including healthcare providers, insurance and health plan clearinghouses and their business associates. Our solutions blend the people, processes and technology required to meet the challenges of health IT. Backed by its E3 Promise, Carpathia consistently delivers an experience that exceeds customers expectations. For more information, please contact us today: Phone: Toll Free: Carpathia is a trusted cloud operator and leading provider of cloud services and managed hosting, providing secure, reliable and compliant IT infrastructure and management for some of the world s most demanding enterprises and federal agencies. Carpathia s cloud platform delivers solutions for every stage of the cloud journey, empowering organizations to meet their unique security and compliance requirements. Carpathia s experienced customer care team and innovative data center facilities provide 24x7 global support to ensure optimum performance and reliability. Backed by its E3 Promise, Carpathia consistently delivers an experience that exceeds expectations. Contact Carpathia at , or visit for more information Atlantic Boulevard Suite 500 Dulles, VA /

Bridging the HIPAA/HITECH Compliance Gap

Bridging the HIPAA/HITECH Compliance Gap CyberSheath Healthcare Compliance Paper www.cybersheath.com -65 Bridging the HIPAA/HITECH Compliance Gap Security insights that help covered entities and business associates achieve compliance According

More information

THE STATE OF HEALTHCARE COMPLIANCE: Keeping up with HIPAA, Advancements in EHR & Additional Regulations

THE STATE OF HEALTHCARE COMPLIANCE: Keeping up with HIPAA, Advancements in EHR & Additional Regulations THE STATE OF HEALTHCARE COMPLIANCE: Keeping up with HIPAA, Advancements in EHR & Additional Regulations [ The State of Healthcare Compliance: Keeping up with HIPAA, Advancements in EHR & Additional Regulations

More information

HIPAA Security Rule Compliance

HIPAA Security Rule Compliance HIPAA Security Rule Compliance Caryn Reiker MAXIS360 HIPAA Security Rule Compliance what is it and why you should be concerned about it Table of Contents About HIPAA... 2 Who Must Comply... 2 The HIPAA

More information

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Table of Contents Introduction... 1 1. Administrative Safeguards...

More information

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, 2014 2:15pm 3:30pm

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, 2014 2:15pm 3:30pm Electronic Health Records: Data Security and Integrity of e-phi Worcester, MA Wednesday, 2:15pm 3:30pm Agenda Introduction Learning Objectives Overview of HIPAA HIPAA: Privacy and Security HIPAA: The Security

More information

Security Is Everyone s Concern:

Security Is Everyone s Concern: Security Is Everyone s Concern: What a Practice Needs to Know About ephi Security Mert Gambito Hawaii HIE Compliance and Privacy Officer July 26, 2014 E Komo Mai! This session s presenter is Mert Gambito

More information

HIPAA Compliance Guide

HIPAA Compliance Guide HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care

More information

HIPAA and HITECH Compliance for Cloud Applications

HIPAA and HITECH Compliance for Cloud Applications What Is HIPAA? The healthcare industry is rapidly moving towards increasing use of electronic information systems - including public and private cloud services - to provide electronic protected health

More information

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification Type of Policy and Procedure Comments Completed Privacy Policy to Maintain and Update Notice of Privacy Practices

More information

Healthcare Compliance Solutions

Healthcare Compliance Solutions Healthcare Compliance Solutions Let Protected Trust be your Safe Harbor In the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH), the U.S. Department of Health and Human

More information

Healthcare Compliance Solutions

Healthcare Compliance Solutions Privacy Compliance Healthcare Compliance Solutions Trust and privacy are essential for building meaningful human relationships. Let Protected Trust be your Safe Harbor The U.S. Department of Health and

More information

HIPAA Compliance: Are you prepared for the new regulatory changes?

HIPAA Compliance: Are you prepared for the new regulatory changes? HIPAA Compliance: Are you prepared for the new regulatory changes? Baker Tilly CARIS Innovation, Inc. April 30, 2013 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed

More information

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS Thank you for taking the time to fill out the privacy & security checklist. Once completed, this checklist will help us get a better

More information

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant 1 HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant Introduction U.S. healthcare laws intended to protect patient information (Protected Health Information or PHI) and the myriad

More information

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics HIPAA SERIES Topics 1. 101 for Covered Entities 2. Standards - Administrative Safeguards 3. Standards - Physical Safeguards 4. Standards - Technical Safeguards 5. Standards - Organizational, Policies &

More information

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 5. 2. Security Standards - Organizational, Security Policies Standards & Procedures, - Administrative and Documentation Safeguards

More information

Datto Compliance 101 1

Datto Compliance 101 1 Datto Compliance 101 1 Overview Overview This document provides a general overview of the Health Insurance Portability and Accounting Act (HIPAA) compliance requirements for Managed Service Providers (MSPs)

More information

HIPAA and Mental Health Privacy:

HIPAA and Mental Health Privacy: HIPAA and Mental Health Privacy: What Social Workers Need to Know Presenter: Sherri Morgan, JD, MSW Associate Counsel, NASW Legal Defense Fund and Office of Ethics & Professional Review 2010 National Association

More information

IBM Internet Security Systems. The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview

IBM Internet Security Systems. The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview IBM Internet Security Systems The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview Health Insurance Portability and Accountability Act

More information

HIPAA Security Alert

HIPAA Security Alert Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information

More information

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice Appendix 4-2: Administrative, Physical, and Technical Safeguards Breach Notification Rule How Use this Assessment The following sample risk assessment provides you with a series of sample questions help

More information

HIPAA PRIVACY AND SECURITY FOR EMPLOYERS

HIPAA PRIVACY AND SECURITY FOR EMPLOYERS HIPAA PRIVACY AND SECURITY FOR EMPLOYERS Agenda Background and Enforcement HIPAA Privacy and Security Rules Breach Notification Rules HPID Number Why Does it Matter HIPAA History HIPAA Title II Administrative

More information

HIPAA Information Security Overview

HIPAA Information Security Overview HIPAA Information Security Overview Security Overview HIPAA Security Regulations establish safeguards for protected health information (PHI) in electronic format. The security rules apply to PHI that is

More information

HIPAA Compliance Guide

HIPAA Compliance Guide HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care

More information

SECURITY RISK ASSESSMENT SUMMARY

SECURITY RISK ASSESSMENT SUMMARY Providers Business Name: Providers Business Address: City, State, Zip Acronyms NIST FIPS PHI EPHI BA CE EHR HHS IS National Institute of Standards and Technology Federal Information Process Standards Protected

More information

2011 2012 Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec.

2011 2012 Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec. The OCR Auditors are coming - Are you next? What to Expect and How to Prepare On June 10, 2011, the U.S. Department of Health and Human Services Office for Civil Rights ( OCR ) awarded KPMG a $9.2 million

More information

PRIVACY POLICIES AND FORMS FOR BUSINESS ASSOCIATES

PRIVACY POLICIES AND FORMS FOR BUSINESS ASSOCIATES PRIVACY POLICIES AND FORMS FOR BUSINESS ASSOCIATES TABLE OF CONTENTS A. Overview of HIPAA Compliance Program B. General Policies 1. Glossary of Defined Terms Used in HIPAA Policies and Procedures 2. Privacy

More information

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011 Nationwide Review of CMS s HIPAA Oversight Brian C. Johnson, CPA, CISA Wednesday, January 19, 2011 1 WHAT I DO Manage Region IV IT Audit and Advance Audit Technique Staff (AATS) IT Audit consists of 8

More information

HIPAA Audits: How to Be Prepared. Lindsey Wiley, MHA, CHTS-IM, CHTS-TS HIT Manager Oklahoma Foundation for Medical Quality

HIPAA Audits: How to Be Prepared. Lindsey Wiley, MHA, CHTS-IM, CHTS-TS HIT Manager Oklahoma Foundation for Medical Quality HIPAA Audits: How to Be Prepared Lindsey Wiley, MHA, CHTS-IM, CHTS-TS HIT Manager Oklahoma Foundation for Medical Quality An Important Reminder For audio, you must use your phone: Step 1: Call (866) 906-0123.

More information

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com HIPAA Privacy Rule Sets standards for confidentiality and privacy of individually

More information

Privacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by:

Privacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by: HIPAA Privacy Officer Orientation Presented by: Cathy Montgomery, RN Privacy Officer Job Description Serve as leader Develop Policies and Procedures Train staff Monitor activities Manage Business Associates

More information

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES HIPAA COMPLIANCE Achieving HIPAA Compliance with Security Professional Services The Health Insurance

More information

VMware vcloud Air HIPAA Matrix

VMware vcloud Air HIPAA Matrix goes to great lengths to ensure the security and availability of vcloud Air services. In this effort VMware has completed an independent third party examination of vcloud Air against applicable regulatory

More information

New privacy and security requirements increase potential legal liability and jeopardize brand reputation.

New privacy and security requirements increase potential legal liability and jeopardize brand reputation. New privacy and security requirements increase potential legal liability and jeopardize brand reputation. Protect personal health information in motion, in use and at rest with HP access, authentication,

More information

Securing the FOSS VistA Stack HIPAA Baseline Discussion. Jack L. Shaffer, Jr. Chief Operations Officer

Securing the FOSS VistA Stack HIPAA Baseline Discussion. Jack L. Shaffer, Jr. Chief Operations Officer Securing the FOSS VistA Stack HIPAA Baseline Discussion Jack L. Shaffer, Jr. Chief Operations Officer HIPAA as Baseline of security: To secure any stack which contains ephi (electonic Protected Health

More information

HIPAA Security Checklist

HIPAA Security Checklist HIPAA Security Checklist The following checklist summarizes HIPAA Security Rule requirements that should be implemented by covered entities and business associates. The citations are to 45 CFR 164.300

More information

HIPAA Security. 5 Security Standards: Organizational, Policies. Security Topics. and Procedures and Documentation Requirements

HIPAA Security. 5 Security Standards: Organizational, Policies. Security Topics. and Procedures and Documentation Requirements HIPAA Security S E R I E S Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical

More information

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions Table of Contents Understanding HIPAA Privacy and Security... 1 What

More information

HIPAA Audit Processes HIPAA Audit Processes. Erik Hafkey Rainer Waedlich

HIPAA Audit Processes HIPAA Audit Processes. Erik Hafkey Rainer Waedlich HIPAA Audit Processes Erik Hafkey Rainer Waedlich 1 Policies for all HIPAA relevant Requirements and Regulations Checklist for an internal Audit Process Documentation of the compliance as Preparation for

More information

Why Lawyers? Why Now?

Why Lawyers? Why Now? TODAY S PRESENTERS Why Lawyers? Why Now? New HIPAA regulations go into effect September 23, 2013 Expands HIPAA safeguarding and breach liabilities for business associates (BAs) Lawyer is considered a business

More information

HIPAA Security Series

HIPAA Security Series 7 Security Standards: Implementation for the Small Provider What is the Security Series? The security series of papers provides guidance from the Centers for Medicare & Medicaid Services (CMS) on the rule

More information

HIPAA Security Policies & Procedures (HITECH updated)

HIPAA Security Policies & Procedures (HITECH updated) Why Create HIPAA Security Policies and Procedures? The final HIPAA Security rule published on February 20, 2003 requires that healthcare organizations create HIPAA Security policies and procedures to apply

More information

Meaningful Use and Core Requirement 15

Meaningful Use and Core Requirement 15 Meaningful Use and Core Requirement 15 How can I comply the lack of time and staff... www.compliancygroup.com 1 Meaningful Use and Core Requirement 15 Meaningful Use Protection of Protected Health Information

More information

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics HIPAA Security S E R I E S Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical

More information

Overview of the HIPAA Security Rule

Overview of the HIPAA Security Rule Office of the Secretary Office for Civil Rights () Overview of the HIPAA Security Rule Office for Civil Rights Region IX Alicia Cornish, EOS Sheila Fischer, Supervisory EOS Topics Upon completion of this

More information

Implementing Electronic Medical Records (EMR): Mitigate Security Risks and Create Peace of Mind

Implementing Electronic Medical Records (EMR): Mitigate Security Risks and Create Peace of Mind Page1 Implementing Electronic Medical Records (EMR): Mitigate Security Risks and Create Peace of Mind The use of electronic medical records (EMRs) to maintain patient information is encouraged today and

More information

HIPAA/HITECH: A Guide for IT Service Providers

HIPAA/HITECH: A Guide for IT Service Providers HIPAA/HITECH: A Guide for IT Service Providers Much like Arthur Dent in the opening scene of The Hitchhiker s Guide to the Galaxy (HHGTTG), you re experiencing the impact of new legislation that s infringing

More information

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE How to Use this Assessment The following risk assessment provides you with a series of questions to help you prioritize the development and implementation

More information

SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION

SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION Please Note: 1. THIS IS NOT A ONE-SIZE-FITS-ALL OR A FILL-IN-THE BLANK COMPLIANCE PROGRAM.

More information

HIPAA Security Rule Safeguards Recommended Standards Developed by: USF HIPAA Security Team May 12, 2005

HIPAA Security Rule Safeguards Recommended Standards Developed by: USF HIPAA Security Team May 12, 2005 INTRODUCTION HIPAA Security Rule Safeguards Recommended Standards Developed by: USF HIPAA Security Team May 12, 2005 The Health Insurance Portability and Accountability Act (HIPAA) Security Rule, as a

More information

HIPAA Security COMPLIANCE Checklist For Employers

HIPAA Security COMPLIANCE Checklist For Employers Compliance HIPAA Security COMPLIANCE Checklist For Employers All of the following steps must be completed by April 20, 2006 (April 14, 2005 for Large Health Plans) Broadly speaking, there are three major

More information

Huseman Health Law Group 3733 University Blvd. West, Suite 305-A Jacksonville, Florida 32217 Telephone (904) 448-5552 Facsimile (904) 448-5653

Huseman Health Law Group 3733 University Blvd. West, Suite 305-A Jacksonville, Florida 32217 Telephone (904) 448-5552 Facsimile (904) 448-5653 Huseman Health Law Group 3733 University Blvd. West, Suite 305-A Jacksonville, Florida 32217 Telephone (904) 448-5552 Facsimile (904) 448-5653 rusty@husemanhealthlaw.com use e Health care law firm fighting

More information

The HIPAA Security Rule Primer A Guide For Mental Health Practitioners

The HIPAA Security Rule Primer A Guide For Mental Health Practitioners The HIPAA Security Rule Primer A Guide For Mental Health Practitioners Distributed by NASW Printer-friendly PDF 2006 APAPO 1 Contents Click on any title below to jump to that page. 1 What is HIPAA? 3 2

More information

Nine Network Considerations in the New HIPAA Landscape

Nine Network Considerations in the New HIPAA Landscape Guide Nine Network Considerations in the New HIPAA Landscape The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Omnibus Final Rule, released January 2013, introduced some significant

More information

Security Compliance, Vendor Questions, a Word on Encryption

Security Compliance, Vendor Questions, a Word on Encryption Security Compliance, Vendor Questions, a Word on Encryption Alexis Parsons, RHIT, CPC, MA Director, Health Information Services Security/Privacy Officer Shasta Community Health Center aparsons@shastahealth.org

More information

BEST PRACTICES FOR COMMERCIAL COMPLIANCE

BEST PRACTICES FOR COMMERCIAL COMPLIANCE BEST PRACTICES FOR COMMERCIAL COMPLIANCE [ BEST PRACTICES FOR COMMERCIAL COMPLIANCE ] 2 Contents OVERVIEW... 3 Health Insurance Portability and Accountability Act (HIPAA) of 1996... 4 Sarbanes-Oxley Act

More information

COMPLIANCE ALERT 10-12

COMPLIANCE ALERT 10-12 HAWAII HEALTH SYSTEMS C O R P O R A T I O N "Touching Lives Every Day COMPLIANCE ALERT 10-12 HIPAA Expansion under the American Recovery and Reinvestment Act of 2009 The American Recovery and Reinvestment

More information

HIPAA Security. Jeanne Smythe, UNC-CH Jack McCoy, ECU Chad Bebout, UNC-CH Doug Brown, UNC-CH

HIPAA Security. Jeanne Smythe, UNC-CH Jack McCoy, ECU Chad Bebout, UNC-CH Doug Brown, UNC-CH HIPAA Security Jeanne Smythe, UNC-CH Jack McCoy, ECU Chad Bebout, UNC-CH Doug Brown, UNC-CH What is this? Federal Regulations August 21, 1996 HIPAA Became Law October 16, 2003 Transaction Codes and Identifiers

More information

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule HIPAA More Important Than You Realize J. Ira Bedenbaugh Consulting Shareholder February 20, 2015 This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record

More information

HIPAA Security Risk Analysis for Meaningful Use

HIPAA Security Risk Analysis for Meaningful Use HIPAA Security Risk Analysis for Meaningful Use NOTE: Make sure your computer speakers are turned ON. Audio will be streaming through your speakers. If you do not have computer speakers, call the ACCMA

More information

The HIPAA Security Rule Primer Compliance Date: April 20, 2005

The HIPAA Security Rule Primer Compliance Date: April 20, 2005 AMERICAN PSYCHOLOGICAL ASSOCIATION PRACTICE ORGANIZATION Practice Working for You The HIPAA Security Rule Primer Compliance Date: April 20, 2005 Printer-friendly PDF 1 Contents Click on any title below

More information

HIPAA HANDBOOK. Keeping your backup HIPAA-compliant

HIPAA HANDBOOK. Keeping your backup HIPAA-compliant The federal Health Insurance Portability and Accountability Act (HIPAA) spells out strict regulations for protecting health information. HIPAA is expansive and can be a challenge to navigate. Use this

More information

Policies and Compliance Guide

Policies and Compliance Guide Brooklyn Community Services Policies and Compliance Guide relating to the HIPAA Security Rule June 2013 Table of Contents INTRODUCTION... 3 GUIDE TO BCS COMPLIANCE WITH THE HIPAA SECURITY REGULATION...

More information

Joseph Suchocki HIPAA Compliance 2015

Joseph Suchocki HIPAA Compliance 2015 Joseph Suchocki HIPAA Compliance 2015 Sponsored by Eagle Associates, Inc. Eagle Associates provides compliance services for over 1,200 practices nation wide. Services provided by Eagle Associates address

More information

M E M O R A N D U M. Definitions

M E M O R A N D U M. Definitions M E M O R A N D U M DATE: November 10, 2011 TO: FROM: RE: Krevolin & Horst, LLC HIPAA Obligations of Business Associates In connection with the launch of your hosted application service focused on practice

More information

HIPAA Security. assistance with implementation of the. security standards. This series aims to

HIPAA Security. assistance with implementation of the. security standards. This series aims to HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical

More information

HIPAA PRIVACY AND SECURITY AWARENESS

HIPAA PRIVACY AND SECURITY AWARENESS HIPAA PRIVACY AND SECURITY AWARENESS Introduction The Health Insurance Portability and Accountability Act (known as HIPAA) was enacted by Congress in 1996. HIPAA serves three main purposes: To protect

More information

Privacy and Security Meaningful Use Requirement HIPAA Readiness Review

Privacy and Security Meaningful Use Requirement HIPAA Readiness Review Privacy and Security Meaningful Use Requirement HIPAA Readiness Review REACH - Achieving - Achieving meaningful meaningful use of your use EHR of your EHR Patti Kritzberger, RHIT, CHPS ND e-health Summit

More information

HIPAA 101. March 18, 2015 Webinar

HIPAA 101. March 18, 2015 Webinar HIPAA 101 March 18, 2015 Webinar Agenda Acronyms to Know HIPAA Basics What is HIPAA and to whom does it apply? What is protected by HIPAA? Privacy Rule Security Rule HITECH Basics Breaches and Responses

More information

Can Your Diocese Afford to Fail a HIPAA Audit?

Can Your Diocese Afford to Fail a HIPAA Audit? Can Your Diocese Afford to Fail a HIPAA Audit? PETULA WORKMAN & PHIL BUSHNELL MAY 2016 2016 ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS Agenda Overview Privacy Security Breach Notification Miscellaneous

More information

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits HIPAA Breaches, Security Risk Analysis, and Audits Derrick Hill Senior Health IT Advisor Kentucky REC Why Does Privacy and Security Matter? Trust Who Must Comply with HIPAA Rules? Covered Entities (CE)

More information

What is HIPAA? The Health Insurance Portability and Accountability Act of 1996

What is HIPAA? The Health Insurance Portability and Accountability Act of 1996 What is HIPAA? The Health Insurance Portability and Accountability Act of 1996 BASIC QUESTIONS AND ANSWERS What Does HIPAA do? Creates national standards to protect individuals' medical records and other

More information

OCRA Spring Convention ~ 2014 Phyllis Craver Lykken, RPR, CLR, CCR 2463. Court Reporters and HIPAA

OCRA Spring Convention ~ 2014 Phyllis Craver Lykken, RPR, CLR, CCR 2463. Court Reporters and HIPAA Court Reporters and HIPAA OCRA Spring Convention ~ 2014 Phyllis Craver Lykken, RPR, CLR, CCR 2463 1 What Exactly is HIPAA? HIPAA is an acronym for the Health Insurance Portability and Accountability Act

More information

What Virginia s Free Clinics Need to Know About HIPAA and HITECH

What Virginia s Free Clinics Need to Know About HIPAA and HITECH What Virginia s Free Clinics Need to Know About HIPAA and HITECH This document is one in a series of tools and white papers produced by the Virginia Health Care Foundation to help Virginia s free clinics

More information

Preparing for the HIPAA Security Rule Again; now, with Teeth from the HITECH Act!

Preparing for the HIPAA Security Rule Again; now, with Teeth from the HITECH Act! A White Paper for Health Care Professionals Preparing for the HIPAA Security Rule Again; now, with Teeth from the HITECH Act! Introduction Several years ago we first published A White Paper for Health

More information

Meaningful Use and Security Risk Analysis

Meaningful Use and Security Risk Analysis Meaningful Use and Security Risk Analysis Meeting the Measure Security in Transition Executive Summary Is your organization adopting Meaningful Use, either to gain incentive payouts or to avoid penalties?

More information

HIPAA Compliance The Time is Now Changes on the Horizon: The Final Regulations on Privacy and Security. May 7, 2013

HIPAA Compliance The Time is Now Changes on the Horizon: The Final Regulations on Privacy and Security. May 7, 2013 HIPAA Compliance The Time is Now Changes on the Horizon: The Final Regulations on Privacy and Security May 7, 2013 Presenters James Clay President Employee Benefits & HR Consulting The Miller Group jimc@millercares.com

More information

HIPAA Compliance and the Protection of Patient Health Information

HIPAA Compliance and the Protection of Patient Health Information HIPAA Compliance and the Protection of Patient Health Information WHITE PAPER By Swift Systems Inc. April 2015 Swift Systems Inc. 7340 Executive Way, Ste M Frederick MD 21704 1 Contents HIPAA Compliance

More information

HIPAA COMPLIANCE PLAN FOR 2013

HIPAA COMPLIANCE PLAN FOR 2013 HIPAA COMPLIANCE PLAN FOR 2013 Welcome! Presentor is Rebecca Morehead, Practice Manager Strategist www.practicemanagersolutions.com Meaningful Use? As a way to encourage hospitals and providers to adopt

More information

When HHS Calls, Will Your Plan Be HIPAA Compliant?

When HHS Calls, Will Your Plan Be HIPAA Compliant? When HHS Calls, Will Your Plan Be HIPAA Compliant? Petula Workman, J.D., CEBS Division Vice President Compliance Counsel Gallagher Benefit Services, Inc., Sugar Land, Texas The opinions expressed in this

More information

Isaac Willett April 5, 2011

Isaac Willett April 5, 2011 Current Options for EHR Implementation: Cloud or No Cloud? Regina Sharrow Isaac Willett April 5, 2011 Introduction Health Information Technology for Economic and Clinical Health Act ( HITECH (HITECH Act

More information

An Oracle White Paper December 2010. Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance

An Oracle White Paper December 2010. Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance An Oracle White Paper December 2010 Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance Executive Overview... 1 Health Information Portability and Accountability Act Security

More information

Building Trust and Confidence in Healthcare Information. How TrustNet Helps

Building Trust and Confidence in Healthcare Information. How TrustNet Helps Building Trust and Confidence in Healthcare Information The management of healthcare information in the United States is regulated under the HIPAA (Health Insurance Portability and Accountability Act)

More information

OCR/HHS HIPAA/HITECH Audit Preparation

OCR/HHS HIPAA/HITECH Audit Preparation OCR/HHS HIPAA/HITECH Audit Preparation 1 Who are we EHR 2.0 Mission: To assist healthcare organizations develop and implement practices to secure IT systems and comply with HIPAA/HITECH regulations. Education

More information

HIPAA COMPLIANCE AND DATA PROTECTION. sales@eaglenetworks.it +39 030 201.08.25 Page 1

HIPAA COMPLIANCE AND DATA PROTECTION. sales@eaglenetworks.it +39 030 201.08.25 Page 1 HIPAA COMPLIANCE AND DATA PROTECTION sales@eaglenetworks.it +39 030 201.08.25 Page 1 CONTENTS Introduction..... 3 The HIPAA Security Rule... 4 The HIPAA Omnibus Rule... 6 HIPAA Compliance and EagleHeaps

More information

New HIPAA regulations require action. Are you in compliance?

New HIPAA regulations require action. Are you in compliance? New HIPAA regulations require action. Are you in compliance? Mary Harrison, JD Tami Simon, JD May 22, 2013 Discussion topics Introduction Remembering the HIPAA Basics HIPAA Privacy Rules HIPAA Security

More information

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What? HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What? Introduction This material is designed to answer some of the commonly asked questions by business associates and other organizations

More information

C.T. Hellmuth & Associates, Inc.

C.T. Hellmuth & Associates, Inc. Technical Monograph C.T. Hellmuth & Associates, Inc. Technical Monographs usually are limited to only one subject which is treated in considerably more depth than is possible in our Executive Newsletter.

More information

Achieving HIPAA and HITECH Compliance. with Enterprise Single Sign-On

Achieving HIPAA and HITECH Compliance. with Enterprise Single Sign-On Achieving HIPAA and HITECH Compliance with Enterprise Single Sign-On Achieving HIPAA and HITECH Compliance with Enterprise Single Sign-On 1 TABLE OF CONTENTS The Challenges of HIPAA and HITECH Compliance

More information

Welcome to the Privacy and Security PowerPoint presentation in the Data Analytics Toolkit. This presentation will provide introductory information

Welcome to the Privacy and Security PowerPoint presentation in the Data Analytics Toolkit. This presentation will provide introductory information Welcome to the Privacy and Security PowerPoint presentation in the Data Analytics Toolkit. This presentation will provide introductory information about HIPAA, the HITECH-HIPAA Omnibus Privacy Act, how

More information

HIPAA Security Matrix

HIPAA Security Matrix HIPAA Matrix Hardware : 164.308(a)(1) Management Process =Required, =Addressable Risk Analysis The Covered Entity (CE) can store its Risk Analysis document encrypted and offsite using EVault managed software

More information

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist HIPAA Omnibus Rule Overview Presented by: Crystal Stanton MicroMD Marketing Communication Specialist 1 HIPAA Omnibus Rule - Agenda History of the Omnibus Rule What is the HIPAA Omnibus Rule and its various

More information

Health Information Privacy Refresher Training. March 2013

Health Information Privacy Refresher Training. March 2013 Health Information Privacy Refresher Training March 2013 1 Disclosure There are no significant or relevant financial relationships to disclose. 2 Topics for Today State health information privacy law Federal

More information

WHITEPAPER XMEDIUSFAX CLOUD FOR HEALTHCARE AND HIPAA COMPLIANCE

WHITEPAPER XMEDIUSFAX CLOUD FOR HEALTHCARE AND HIPAA COMPLIANCE WHITEPAPER XMEDIUSFAX CLOUD FOR HEALTHCARE AND HIPAA COMPLIANCE INTRODUCTION The healthcare industry is driven by many specialized documents. Each day, volumes of critical information are sent to and from

More information

A Technical Template for HIPAA Security Compliance

A Technical Template for HIPAA Security Compliance A Technical Template for HIPAA Security Compliance Peter J. Haigh, FHIMSS peter.haigh@verizon.com Thomas Welch, CISSP, CPP twelch@sendsecure.com Reproduction of this material is permitted, with attribution,

More information

Lessons Learned from HIPAA Audits

Lessons Learned from HIPAA Audits Lessons Learned from HIPAA Audits October 29, 2012 Tony Brooks, CISA, CRISC Partner - IT Assurance and Risk Services HORNE LLP AGENDA HIPAA/HITECH Regulations Breaches and Fines OCR HIPAA/HITECH Compliance

More information

HIPAA SECURITY AND POLICIES AND PROCEDURES. By: Michele Cuper THESIS FOR MASTERS DEGREE INFORMATION ASSURANCE CAPS 795 DAVENPORT UNIVERSITY

HIPAA SECURITY AND POLICIES AND PROCEDURES. By: Michele Cuper THESIS FOR MASTERS DEGREE INFORMATION ASSURANCE CAPS 795 DAVENPORT UNIVERSITY HIPAA SECURITY AND POLICIES AND PROCEDURES 1 HIPAA SECURITY AND POLICIES AND PROCEDURES By: Michele Cuper THESIS FOR MASTERS DEGREE INFORMATION ASSURANCE CAPS 795 DAVENPORT UNIVERSITY PRESENTED TO: DR.

More information

2/9/2012. 2012 HIPAA Privacy and Security Audit Readiness. Table of contents

2/9/2012. 2012 HIPAA Privacy and Security Audit Readiness. Table of contents 2012 HIPAA Privacy and Security Audit Readiness Mark M. Johnson National HIPAA Services Director Table of contents Page Background 2 Regulatory Background and HITECH Impacts 3 Office of Civil Rights (OCR)

More information

Healthcare Insurance Portability & Accountability Act (HIPAA)

Healthcare Insurance Portability & Accountability Act (HIPAA) O C T O B E R 2 0 1 3 Healthcare Insurance Portability & Accountability Act (HIPAA) Secure Messaging White Paper This white paper briefly details how HIPAA affects email security for healthcare organizations,

More information

Sustainable Compliance: A System for Ongoing Audit Readiness

Sustainable Compliance: A System for Ongoing Audit Readiness View the Replay on YouTube Sustainable Compliance: A System for Ongoing Audit Readiness FairWarning Executive Webinar Series November 14, 2013 Agenda Sustainable Compliance at St. Charles Health System

More information