HIPAA RISK ASSESSMENT

Size: px
Start display at page:

Download "HIPAA RISK ASSESSMENT"

Transcription

1 HIPAA RISK ASSESSMENT PRACTICE INFORMATION (FILL OUT ONE OF THESE FORMS FOR EACH LOCATION) Practice Name: Address: City, State, Zip: Phone: We anticipate that your Meaningful Use training and implementation will take approximately 30 days. Most of your training will be done by attending courses at SammyUniversity.com. If, after you attend Sammy University you feel that you need additional on-on-one training, we will certainly make ourselves available to help you! Register for Meaningful Use ASAP! SammyEHR s CMS EHR Certification ID is SVAKEAS. HIPAA Compliance ICS has made me aware of the HIPAA security requirements. I decline ICS offer to assist me in becoming HIPAA compliant. Please assist me in becoming HIPAA compliant. I have completed the attached questionnaire. I will send it back to ICS completed to the best of my ability including payment ($399 for 1 office, $199 for each additional) Please make check payable and remit to: ICS Software, Ltd., 3720 Oceanside Road West, Oceanside, NY If paying by credit card, please include your information below: MasterCard Visa Amex Discover Card Number: Expiration: / Signature: Please send this form back to ICS via fax ( ), or mail.

2 As part of the requirement for meaningful use the practice is required to perform a risk assessment. The types of risks that need to be addressed include Physical, Administrative and Technical Risks. This document is the risk assessment. If you do not understand what is being asked for in any given location, please leave it blank. PHYSICAL RISKS Loss of Power Loss of Power not only results in the inaccessibility of data on practice computer systems, but improper shutdown of computer systems due to power outages can result in damage not only to hardware but to loss of the data on those computer systems. An assessment of the possibility of loss of power and implementation of measures to mitigate potential damage by this event is necessary. 1. How many times in the past year have you lost power? 2. Do you have a Backup Generator? Yes No 3. Do you have UPS (Battery Backup) on all critical technology devices? Yes No Critical devices can include computers, networking equipment, and phone systems. Your server would be a critical computer, NOT all workstations are critical devices, but at least one should have a UPS installed. 4. Do you have phones that can plug directly into the wall and do not require a power source? Loss of Internet Connectivity Use of the internet is required for connection to Health Information Exchanges, remote offices, and other data sources. This connectivity may be necessary to insure that the patient data is available. The more data that is located off premises, the greater impact a loss of connectivity will be to your practice. The needs of the practice for connectivity, will determine the severity of a loss of connectivity and the steps required to mitigate a loss of connectivity. 1. How many times in the past two years have you lost internet connectivity? 2. How many of these were accompanied by a loss of electricity? 3. Do you have multiple connections from multiple internet carriers? Yes No 4. Do you have a wireless internet connection such as a laptop edge card in case of a service outage? Yes No 5. Is your database located at this location or is it offsite location? This location Offsite 6. Do satellite offices need to be able to connect to this location? 7. If your data is offsite it is located: In your other office In your computer at a data center In the cloud at an ASP

3 Other (please specify) Loss of Premises due to Fire In addition to the risks that fire poses to computer systems, fire poses a significant risk to the health and safety of the practice patients and workforce. The primary goal of a fire risk assessment and risk mitigation is to insure the safety of the people who are at the premises. With proper implementation of fire protection, it is possible to minimize damage to computer systems due to fire. In case of damage due to fire or other disaster, it may be necessary to implement the practice disaster recovery plan which is addressed in the HIPAA Security Manual. 1. Do you have fire extinguishers? Yes No Please mark the locations of all fire extinguishers on your practice floor plan. 2. Do you have sprinklers at your location? Yes No Please mark the locations of sprinklers on your practice floor plan. 3. Do you have smoke detectors? Yes No Please mark the locations of all smoke detectors on your floor plan. 4. Do you have fire alarms? Yes No Please mark the locations of all fire alarms on your floor plan. 5. Do you have central station monitoring for fires? Yes No Please mark the location of all fire extinguishers on your floor plan. Loss due to Theft Theft of computer systems and data represents a significant risk to the practice. Theft of computer systems or of data is a major HIPAA violation. There are multiple methods of theft, including theft of data and theft of physical computers and media. Here we will discuss risks posed by theft of physical devices. 1. Do you have an anti-theft system such as a burglar alarm? Yes No 2. Do you have central station monitoring? Yes No 3. Who is alerted if the alarm is triggered? 4. Is there video surveillance and recording of the premises? Yes No 5. Do you have motion detectors? Yes No 6. Are all external windows alarmed? Yes No a. If not, please describe why not: 7. Are all external doors alarmed? Yes No a. If not, please describe why not:

4 8. Are any internal windows or doors alarmed? Yes No Please mark location of all alarmed access points on your office floor plans. 9. Are you tracking who has access to the premises using keys / keypad access? Yes No 10. Are all computers in secure areas? Yes No Please mark the location of each computer on your floor plan. Indicate which rooms that store computers have locks installed. COMPUTER INVENTORY FORM List all computers, devices and media containing e-phi on the inventory sheet. Include details on who is responsible for mobile devices and media. Please give each device an ID. This ID will be utilized when documenting all of your installed software. Be sure to list the Make, Model and Serial Number of each device, and additionally the operating system and antivirus software (if any) on each computer or mobile device. Digital Printers and Copiers often have hard drives. If you have digital imaging devices such as printers, copiers, or scanners that contain hard drives you must have an inventory form for each of those devices. Please fill out one form for each workstation, laptop, server and PDA used in your practice. Please photocopy that form and keep a blank one available, you will need to add a Computer Inventory Form to your HIPAA manual each time you buy a new computer. Computer Name (please name each computer) Computer Make (eg Dell, HP etc) Computer Model How Many Hard Drives are in the Computer Are any of the Drives Encrypted Please provide details Operating System (Be Specific eg Windows XP Professional) Location of Computer (Front Desk, Treatment Room 1, Mobliel Kiosk) What Antivirus Software is installed? Is the computer connected to a Battery Backup? If yes please list make and model of Battery Backup If this is a mobile device who is responsible for this computer?

5 Media Destruction Documentation Hard Drive Make / Model Date Destroyed Replaced with Hard Drive Make / Model Date Destroyed Replaced with Hard Drive Make / Model Date Destroyed Replaced with Hard Drive Make / Model Date Destroyed Replaced with Hard Drive Make / Model Date Destroyed Replaced with You will notice a section titled Media Destruction Documentation on each of the Computer Inventory Forms. Each of these inventory forms will become part of your HIPAA manual and you need to track all media that your practice uses to store E-PHI. When media is retired the data on the media needs to be irreversible destroyed. This can be accomplished by using software that wipes the media, or by physically destroying the disks. Please describe the methods you use to irreversibly destroy all E-PHI from your retired media. You need to be specific. If you do not have a method we recommend utilizing Iron Mountain which provides hard disk shredding purposes.

6 OTHER PHYSICAL DAMAGE If your office is at risk of damage due to factors not addressed earlier in this questionnaire please detail those risks here. Risks could include but are not limited to Floods, Hurricanes, Earthquakes, or other natural disasters. In case of a disaster you may need to reinstall all programs, including operating systems. The installation disks should be stored at a location that is offsite. Where do you store your installation disks?

7 BACKUP AND RESTORATION In the event of a loss of equipment and or data, it is important to be able to access critical patient data. This is accomplished by having data backups, contingency plans, and disaster recovery plans all of which are addressed in your HIPAA Security Manual. In order for these plans to function certain steps need to be taken on a regular basis to insure the integrity and availability of data. 1. Do you backup data to local media? Yes No 2. If yes what type of media is utilized? 3. Is the media stored off site? Yes No 4. Do you have a fireproof safe at your practice location? Yes No 5. Do you have a fireproof safe at an offsite location? Yes No 6. How often to you back up your data? 7. How often do you test your backups? 8. How many days of backup to you retain locally? 9. Do you utilize remote backup services? Yes No 10. How often do you back up data remotely? Yes No 11. What type of media is utilized? 12. How often to you test your remote backup? 13. How many days of backup to you retain remotely? 14. What offsite backup company do you use? Please attach a copy of the BAA with your offsite backup service to your HIPAA manual. 15. Do you have copies of all installation disks? Yes No 16. Where are these disks stored? 17. How do you test your backup?

8 VENDORS SUPPLIERS, CONSULTANTS AND SUPPORT In the case of a disaster you will need the assistance of your hardware vendors, software vendors, and consultants. The details of disaster recovery are listed in your HIPAA Security Manual. Please list your vendors and consultants in this section. Include information on the Operating Systems and Anti-Virus Software. If you have multiple copies of software installed on multiple computers, please fill out information for each instance separately. Attach additional pages as necessary. Hardware Vendor: Contact Name: Phone Number(s) : address: Hardware Vendor: Contact Name: Phone Number(s) : address: Hardware Vendor: Contact Name: Phone Number(s) : address:

9 SOFTWARE VENDORS COMPLETE FOR EACH SOFTWARE VENDOR Software Vendor: Software Product and Version: Software License Information: Contact Name: Phone Number(s): address: 1. Does the software support encryption? Yes No 2. What type of encryption is implemented? 3. Does the software support auditing of use and access? Yes No 4. Does the software require a login? Yes No If the software requires a login: a. Does the software support or require strong passwords? Yes No b. Is this implemented? Yes No c. Does the software support or require regular password changes? Yes No d. Is this implemented and how often are passwords required to be changed? Yes No 5. Are automatic updates available with this software product? Yes No 6. Are automatic updates enabled? Yes No 7. If the automatic updates require annual renewal, when does the current update license expire?

10 TECHNICAL MEASURES Technical measures need to be implemented to insure security of your computer network. These technical measures are detailed in the HIPAA Security Manual. In order to properly answer these questions, you will probably need the assistance of your hardware and software vendors. 1. Do you have auditing software installed on your computer network? Yes No 2. What Auditing Software is utilized? 3. How often are the Audit Logs reviewed? 4. Is there an intrusion detection system installed on your computer network? Yes No 5. Does the computer network support a Login Threshold? Yes No 6. What is that threshold? 7. What happens if that threshold is exceeded? 8. Does the computer network support strong Passwords? Yes No 9. Is that implemented? Yes No 10. Please describe the password policy that is implemented on the computer. NETWORK SECURITY 1. Do you have a wireless network? Yes No 2. What type of firewall is installed (Make and Model)? 3. What type of router is installed (Make and Model)? Note that your Wireless Access Point and your router are often the same device. Please answer the following questions for each of your Wireless Access Points: Make and Model: Is MAC address security enabled? Yes No What type of wireless security is enabled? None WEP WPA WPA2/Personal WPA2/Enterprise Other please specify:

11 AUDITING SOFTWARE If your computer has any auditing software installed or your EMR software has built in Auditing please describe it here. STAFF ROSTER As part of the HIPAA security policies each staff member needs to receive annual HIPAA training and receive regular HIPAA reminders. We provide regular HIPAA training to your staff via webinars and regular updates via . We therefore require a separate valid address for each of your staff members. As part of the workforce authorization process it may be appropriate to perform background check on your employees. Staff Member name Address If you have done background checks, they should be attached to and made part of your HIPAA manual. Your HIPAA manual will have blank pages for each staff member (photocopy as needed) which should be filled out for each existing employee and each new employee. They contain information that needs to be filled out when each employee leaves your practice.

12 ASSIGNED RESPONSIBILITY HIPAA requires that you assign staff members to various security / privacy posts within your practice please let us know who is: Practice Security Officer: This is the person responsible for implementing all of the security provisions detailed in this HIPAA manual, testing of the security procedures and making necessary changes to your manual should they be required. This person will be in charge of your Security Incident Response Team in case of a HIPAA breach Practice Privacy Officer: This is the person responsible for communicating with your patients should they have any questions or issues regarding HIPAA privacy in your office. In case of a breach they will work with the Security Officer and be on the Security Incident Response Team to mitigate any breaches. Practice Compliance Officer: This is the person who is responsible for monitoring the employees of your practice to insure that they are following your HIPAA policy, and this person will be responsible for insuring that the logs in the HIPAA manual are updated as appropriate. BUSINESS ASSOCIATE AGREEMENTS Provide a list of all companies having access to any patient information for any purpose and any individuals who have remote access. This includes orthotic labs if you put patient names on the orthotic Rx, but not doctors to whom you send and from whom your receive referrals. Ex: Accountants, practice consultants, transcription services, billing companies, etc. Do NOT list employees of your practice. Please attach copies of the Business Associate Agreements with each of the entries above.

13 FLOOR PLAN Please draw a floor plan of your practice. Each of the following must be marked: Doors Windows Computers Fire Theft If the door has a lock please indicate If the door is alarmed please indicate If the window has a lock please indicate If the window is alarmed please indicate Mark where each computer is located Please name each computer (see inventory sheet) Please mark locations of Fire Detectors and Fire Extinguishers Please mark location of motion detectors, video cameras and keypads Attach your floor plan to this questionnaire.

14 REMOTE ACCESS Does anybody access your practice computers remotely? Yes No Please describe the security that has been implemented for each remote user.

Contents. Instructions for Using Online HIPAA Security Plan Generation Tool

Contents. Instructions for Using Online HIPAA Security Plan Generation Tool Instructions for Using Online HIPAA Security Plan Generation Tool Contents Step 1 Set Up Account... 2 Step 2 : Fill out the main section of the practice information section of the web site.... 3 The next

More information

HIPAA Privacy and Security Risk Assessment and Action Planning

HIPAA Privacy and Security Risk Assessment and Action Planning HIPAA Privacy and Security Risk Assessment and Action Planning Practice Name: Participants: Date: MU Stage: EHR Vendor: Access Control Unique ID and PW for Users (TVS016) Role Based Access (TVS023) Account

More information

HIPAA Security Alert

HIPAA Security Alert Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information

More information

Client Security Risk Assessment Questionnaire

Client Security Risk Assessment Questionnaire Select the appropriate answer from the drop down in the column, and provide a brief description in the section. 1 Do you have a member of your organization with dedicated information security duties? 2

More information

HIPAA Security. assistance with implementation of the. security standards. This series aims to

HIPAA Security. assistance with implementation of the. security standards. This series aims to HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical

More information

Please Read. Apgar & Associates, LLC apgarandassoc.com P. O. Box 80278 Portland, OR 97280 503-384-2538 877-376-1981 503-384-2539 Fax

Please Read. Apgar & Associates, LLC apgarandassoc.com P. O. Box 80278 Portland, OR 97280 503-384-2538 877-376-1981 503-384-2539 Fax Please Read This business associate audit questionnaire is part of Apgar & Associates, LLC s healthcare compliance resources, Copyright 2014. This questionnaire should be viewed as a tool to aid in evaluating

More information

HIPAA Security Rule Safeguards Recommended Standards Developed by: USF HIPAA Security Team May 12, 2005

HIPAA Security Rule Safeguards Recommended Standards Developed by: USF HIPAA Security Team May 12, 2005 INTRODUCTION HIPAA Security Rule Safeguards Recommended Standards Developed by: USF HIPAA Security Team May 12, 2005 The Health Insurance Portability and Accountability Act (HIPAA) Security Rule, as a

More information

The second section of the HIPAA Security Rule is related to physical safeguards. Physical safeguards are physical measures, policies and procedures

The second section of the HIPAA Security Rule is related to physical safeguards. Physical safeguards are physical measures, policies and procedures The second section of the HIPAA Security Rule is related to physical safeguards. Physical safeguards are physical measures, policies and procedures to protect and secure a covered entity s electronic information

More information

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE How to Use this Assessment The following risk assessment provides you with a series of questions to help you prioritize the development and implementation

More information

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice Appendix 4-2: Administrative, Physical, and Technical Safeguards Breach Notification Rule How Use this Assessment The following sample risk assessment provides you with a series of sample questions help

More information

Small Business IT Risk Assessment

Small Business IT Risk Assessment Small Business IT Risk Assessment Company name: Completed by: Date: Where Do I Begin? A risk assessment is an important step in protecting your customers, employees, and your business, and well as complying

More information

HIPAA Compliance Guide

HIPAA Compliance Guide HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care

More information

Supplier Security Assessment Questionnaire

Supplier Security Assessment Questionnaire HALKYN CONSULTING LTD Supplier Security Assessment Questionnaire Security Self-Assessment and Reporting This questionnaire is provided to assist organisations in conducting supplier security assessments.

More information

HIPAA ephi Security Guidance for Researchers

HIPAA ephi Security Guidance for Researchers What is ephi? ephi stands for Electronic Protected Health Information (PHI). It is any PHI that is stored, accessed, transmitted or received electronically. 1 PHI under HIPAA means any information that

More information

HIPAA Privacy & Security White Paper

HIPAA Privacy & Security White Paper HIPAA Privacy & Security White Paper Sabrina Patel, JD +1.718.683.6577 sabrina@captureproof.com Compliance TABLE OF CONTENTS Overview 2 Security Frameworks & Standards 3 Key Security & Privacy Elements

More information

INCIDENT RESPONSE CHECKLIST

INCIDENT RESPONSE CHECKLIST INCIDENT RESPONSE CHECKLIST The purpose of this checklist is to provide clients of Kivu Consulting, Inc. with guidance in the initial stages of an actual or possible data breach. Clients are encouraged

More information

HIPAA Information Security Overview

HIPAA Information Security Overview HIPAA Information Security Overview Security Overview HIPAA Security Regulations establish safeguards for protected health information (PHI) in electronic format. The security rules apply to PHI that is

More information

HIPAA Security. Jeanne Smythe, UNC-CH Jack McCoy, ECU Chad Bebout, UNC-CH Doug Brown, UNC-CH

HIPAA Security. Jeanne Smythe, UNC-CH Jack McCoy, ECU Chad Bebout, UNC-CH Doug Brown, UNC-CH HIPAA Security Jeanne Smythe, UNC-CH Jack McCoy, ECU Chad Bebout, UNC-CH Doug Brown, UNC-CH What is this? Federal Regulations August 21, 1996 HIPAA Became Law October 16, 2003 Transaction Codes and Identifiers

More information

VMware vcloud Air HIPAA Matrix

VMware vcloud Air HIPAA Matrix goes to great lengths to ensure the security and availability of vcloud Air services. In this effort VMware has completed an independent third party examination of vcloud Air against applicable regulatory

More information

HIPAA Audit Processes HIPAA Audit Processes. Erik Hafkey Rainer Waedlich

HIPAA Audit Processes HIPAA Audit Processes. Erik Hafkey Rainer Waedlich HIPAA Audit Processes Erik Hafkey Rainer Waedlich 1 Policies for all HIPAA relevant Requirements and Regulations Checklist for an internal Audit Process Documentation of the compliance as Preparation for

More information

HIPAA Security COMPLIANCE Checklist For Employers

HIPAA Security COMPLIANCE Checklist For Employers Compliance HIPAA Security COMPLIANCE Checklist For Employers All of the following steps must be completed by April 20, 2006 (April 14, 2005 for Large Health Plans) Broadly speaking, there are three major

More information

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant 1 HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant Introduction U.S. healthcare laws intended to protect patient information (Protected Health Information or PHI) and the myriad

More information

HIPAA Risk Assessments for Physician Practices

HIPAA Risk Assessments for Physician Practices HIPAA Risk Assessments for Physician Practices Eric Sandhusen Corporate Compliance Director and Privacy Officer Lloyd Torres Director of Ambulatory HIM DISCLAIMER The statements and opinions presented

More information

Retention & Destruction

Retention & Destruction Last Updated: March 28, 2014 This document sets forth the security policies and procedures for WealthEngine, Inc. ( WealthEngine or the Company ). A. Retention & Destruction Retention & Destruction of

More information

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS Thank you for taking the time to fill out the privacy & security checklist. Once completed, this checklist will help us get a better

More information

IT - General Controls Questionnaire

IT - General Controls Questionnaire IT - General Controls Questionnaire Internal Control Questionnaire Question Yes No N/A Remarks G1. ACCESS CONTROLS Access controls are comprised of those policies and procedures that are designed to allow

More information

HIPAA Compliance Guide

HIPAA Compliance Guide HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care

More information

Network Detective. HIPAA Compliance Module. 2015 RapidFire Tools, Inc. All rights reserved V20150201

Network Detective. HIPAA Compliance Module. 2015 RapidFire Tools, Inc. All rights reserved V20150201 Network Detective 2015 RapidFire Tools, Inc. All rights reserved V20150201 Contents Purpose of this Guide... 3 About Network Detective... 3 Overview... 4 Creating a Site... 5 Starting a HIPAA Assessment...

More information

NewYork-Presbyterian Hospital Sites: All Centers Hospital Policies and Procedures Manual Policy Number: I240 Page 1 of 9

NewYork-Presbyterian Hospital Sites: All Centers Hospital Policies and Procedures Manual Policy Number: I240 Page 1 of 9 Page 1 of 9 TITLE: INFORMATION SECURITY: DEVICE AND MEDIA CONTROLS POLICY: Reasonable steps are taken to protect, account for, properly store, back up, encrypt and dispose of hardware, paper and electronic

More information

SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION

SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION Please Note: 1. THIS IS NOT A ONE-SIZE-FITS-ALL OR A FILL-IN-THE BLANK COMPLIANCE PROGRAM.

More information

HIPAA Privacy and Security Requirements

HIPAA Privacy and Security Requirements 600 East Superior Street, Suite 404 I Duluth, MN 55802 I Ph. 800.997.6685 or 218.727.9390 I www.ruralcenter.org HIPAA Privacy and Security Requirements Joe Wivoda CIO and HIT Consultant June 19, 2013 Purpose

More information

GENERAL APPLICATION FOR ELECTRONIC COMMUNICATION SYSTEM ( ECS ) INSURANCE

GENERAL APPLICATION FOR ELECTRONIC COMMUNICATION SYSTEM ( ECS ) INSURANCE GENERAL APPLICATION FOR ELECTRONIC COMMUNICATION SYSTEM ( ECS ) INSURANCE (CLAIMS MADE BASIS) APPLICANT S INSTRUCTIONS: 1. Answer all questions. If the answer requires detail, please attach a separate

More information

Joseph Suchocki HIPAA Compliance 2015

Joseph Suchocki HIPAA Compliance 2015 Joseph Suchocki HIPAA Compliance 2015 Sponsored by Eagle Associates, Inc. Eagle Associates provides compliance services for over 1,200 practices nation wide. Services provided by Eagle Associates address

More information

Cyber Self Assessment

Cyber Self Assessment Cyber Self Assessment According to Protecting Personal Information A Guide for Business 1 a sound data security plan is built on five key principles: 1. Take stock. Know what personal information you have

More information

CHIS, Inc. Privacy General Guidelines

CHIS, Inc. Privacy General Guidelines CHIS, Inc. and HIPAA CHIS, Inc. provides services to healthcare facilities and uses certain protected health information (PHI) in connection with performing these services. Therefore, CHIS, Inc. is classified

More information

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011 Nationwide Review of CMS s HIPAA Oversight Brian C. Johnson, CPA, CISA Wednesday, January 19, 2011 1 WHAT I DO Manage Region IV IT Audit and Advance Audit Technique Staff (AATS) IT Audit consists of 8

More information

HIPAA: Bigger and More Annoying

HIPAA: Bigger and More Annoying HIPAA: Bigger and More Annoying Instructor: Laney Kay, JD Contact information: 4640 Hunting Hound Lane Marietta, GA 30062 (770) 312-6257 (770) 998-9204 (fax) laney@laneykay.com www.laneykay.com OFFICIAL

More information

HIPAA Security Series

HIPAA Security Series 7 Security Standards: Implementation for the Small Provider What is the Security Series? The security series of papers provides guidance from the Centers for Medicare & Medicaid Services (CMS) on the rule

More information

The HIPAA Security Rule Primer A Guide For Mental Health Practitioners

The HIPAA Security Rule Primer A Guide For Mental Health Practitioners The HIPAA Security Rule Primer A Guide For Mental Health Practitioners Distributed by NASW Printer-friendly PDF 2006 APAPO 1 Contents Click on any title below to jump to that page. 1 What is HIPAA? 3 2

More information

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This

More information

Network and Security Controls

Network and Security Controls Network and Security Controls State Of Arizona Office Of The Auditor General Phil Hanus IT Controls Webinar Series Part I Overview of IT Controls and Best Practices Part II Identifying Users and Limiting

More information

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist HIPAA Omnibus Rule Overview Presented by: Crystal Stanton MicroMD Marketing Communication Specialist 1 HIPAA Omnibus Rule - Agenda History of the Omnibus Rule What is the HIPAA Omnibus Rule and its various

More information

WHITEPAPER XMEDIUSFAX CLOUD FOR HEALTHCARE AND HIPAA COMPLIANCE

WHITEPAPER XMEDIUSFAX CLOUD FOR HEALTHCARE AND HIPAA COMPLIANCE WHITEPAPER XMEDIUSFAX CLOUD FOR HEALTHCARE AND HIPAA COMPLIANCE INTRODUCTION The healthcare industry is driven by many specialized documents. Each day, volumes of critical information are sent to and from

More information

Datto Compliance 101 1

Datto Compliance 101 1 Datto Compliance 101 1 Overview Overview This document provides a general overview of the Health Insurance Portability and Accounting Act (HIPAA) compliance requirements for Managed Service Providers (MSPs)

More information

Countering and reducing ICT security risks 1. Physical and environmental risks

Countering and reducing ICT security risks 1. Physical and environmental risks Countering and reducing ICT security risks 1. Physical and environmental risks 1. Physical and environmental risks Theft of equipment from staff areas and Theft of equipment from public areas Theft of

More information

HIPAA Security Education. Updated May 2016

HIPAA Security Education. Updated May 2016 HIPAA Security Education Updated May 2016 Course Objectives v This computer-based learning course covers the HIPAA, HITECH, and MSHA Privacy and Security Program which includes relevant Information Technology(IT)

More information

OFFICE OF THE STATE AUDITOR General Controls Review Questionnaire

OFFICE OF THE STATE AUDITOR General Controls Review Questionnaire OFFICE OF THE STATE AUDITOR Agency: * University Please answer all of the following questions. Where we ask for copies of policies and procedures and other documentation, we would prefer this in electronic

More information

IT Disaster Recovery Plan Template

IT Disaster Recovery Plan Template HOPONE INTERNET CORP IT Disaster Recovery Plan Template Compliments of: Tim Sexton 1/1/2015 An information technology (IT) disaster recovery (DR) plan provides a structured approach for responding to unplanned

More information

Supplier IT Security Guide

Supplier IT Security Guide Revision Date: 28 November 2012 TABLE OF CONTENT 1. INTRODUCTION... 3 2. PURPOSE... 3 3. GENERAL ACCESS REQUIREMENTS... 3 4. SECURITY RULES FOR SUPPLIER WORKPLACES AT AN INFINEON LOCATION... 3 5. DATA

More information

IT Disaster Recovery Plan Template. By Paul Kirvan, CISA, CISSP, FBCI, CBCP

<Client Name> IT Disaster Recovery Plan Template. By Paul Kirvan, CISA, CISSP, FBCI, CBCP IT Disaster Recovery Plan Template By Paul Kirvan, CISA, CISSP, FBCI, CBCP Revision History REVISION DATE NAME DESCRIPTION Original 1.0 2 Table of Contents Information Technology Statement

More information

Compliance Challenges. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard. Increased Audits & On-site Investigations

Compliance Challenges. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard. Increased Audits & On-site Investigations Enabling a HITECH & HIPAA Compliant Organization: Addressing Meaningful Use Mandates & Ensuring Audit Readiness Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard Compliance Mandates Increased

More information

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing HIPAA Omnibus Rule Practice Impact Kristen Heffernan MicroMD Director of Prod Mgt and Marketing 1 HIPAA Omnibus Rule Agenda History of the Rule HIPAA Stats Rule Overview Use of Personal Health Information

More information

HIPAA HANDBOOK. Keeping your backup HIPAA-compliant

HIPAA HANDBOOK. Keeping your backup HIPAA-compliant The federal Health Insurance Portability and Accountability Act (HIPAA) spells out strict regulations for protecting health information. HIPAA is expansive and can be a challenge to navigate. Use this

More information

Healthcare Security Vulnerabilities. Adam Goslin Chief Operations Officer High Bit Security

Healthcare Security Vulnerabilities. Adam Goslin Chief Operations Officer High Bit Security Healthcare Security Vulnerabilities Adam Goslin Chief Operations Officer High Bit Security Webinar Overview IT Security and Data Loss Breach Sources / Additional Information Recent Medical Breach / Loss

More information

UNIVERSITY OF CALIFORNIA, SANTA CRUZ 2015 HIPAA Security Rule Compliance Workbook

UNIVERSITY OF CALIFORNIA, SANTA CRUZ 2015 HIPAA Security Rule Compliance Workbook Introduction Per UCSC's HIPAA Security Rule Compliance Policy 1, all UCSC entities subject to the HIPAA Security Rule ( HIPAA entities ) must implement the UCSC Practices for HIPAA Security Rule Compliance

More information

What s New with HIPAA? Policy and Enforcement Update

What s New with HIPAA? Policy and Enforcement Update What s New with HIPAA? Policy and Enforcement Update HHS Office for Civil Rights New Initiatives Precision Medicine Initiative (PMI), including Access Guidance Cybersecurity Developer portal NICS Final

More information

Hosted Testing and Grading

Hosted Testing and Grading Hosted Testing and Grading Technical White Paper July 2014 www.lexmark.com Lexmark and Lexmark with diamond design are trademarks of Lexmark International, Inc., registered in the United States and/or

More information

Information Technology General Controls Review (ITGC) Audit Program Prepared by:

Information Technology General Controls Review (ITGC) Audit Program Prepared by: Information Technology General Controls Review (ITGC) Audit Program Date Prepared: 2012 Internal Audit Work Plan Objective: IT General Controls (ITGC) address the overall operation and activities of the

More information

The HIPAA Security Rule Primer Compliance Date: April 20, 2005

The HIPAA Security Rule Primer Compliance Date: April 20, 2005 AMERICAN PSYCHOLOGICAL ASSOCIATION PRACTICE ORGANIZATION Practice Working for You The HIPAA Security Rule Primer Compliance Date: April 20, 2005 Printer-friendly PDF 1 Contents Click on any title below

More information

Enabling Solutions for HIPAA Compliance. Presented by: Mike McDermand

Enabling Solutions for HIPAA Compliance. Presented by: Mike McDermand Enabling Solutions for HIPAA Compliance Presented by: Mike McDermand HIPAA Agenda About Computer Associates International, Inc. (CA) AHA HCCA HIPAA security survey Summary results Highlights of responses

More information

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 5. 2. Security Standards - Organizational, Security Policies Standards & Procedures, - Administrative and Documentation Safeguards

More information

Managed Hosting & Datacentre PCI DSS v2.0 Obligations

Managed Hosting & Datacentre PCI DSS v2.0 Obligations Any physical access to devices or data held in an Melbourne datacentre that houses a customer s cardholder data must be controlled and restricted only to approved individuals. PCI DSS Requirements Version

More information

SECURITY RISK ASSESSMENT SUMMARY

SECURITY RISK ASSESSMENT SUMMARY Providers Business Name: Providers Business Address: City, State, Zip Acronyms NIST FIPS PHI EPHI BA CE EHR HHS IS National Institute of Standards and Technology Federal Information Process Standards Protected

More information

HIPAA Security and HITECH Compliance Checklist

HIPAA Security and HITECH Compliance Checklist HIPAA Security and HITECH Compliance Checklist A Compliance Self-Assessment Tool HIPAA SECURITY AND HITECH CHECKLIST The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires physicians

More information

CIBHS Small Counties HIPAA Training; HIPAA for Executive Leadership and HIPAA Compliance for IT

CIBHS Small Counties HIPAA Training; HIPAA for Executive Leadership and HIPAA Compliance for IT CIBHS Small Counties HIPAA Training; HIPAA for Executive Leadership and HIPAA Compliance for IT Class Date: January 29, 2016 Webinar Questions/Follow-Up Answers Question Please expand on the Treatment

More information

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the

More information

HIPAA Security Checklist

HIPAA Security Checklist HIPAA Security Checklist The following checklist summarizes HIPAA Security Rule requirements that should be implemented by covered entities and business associates. The citations are to 45 CFR 164.300

More information

Why Lawyers? Why Now?

Why Lawyers? Why Now? TODAY S PRESENTERS Why Lawyers? Why Now? New HIPAA regulations go into effect September 23, 2013 Expands HIPAA safeguarding and breach liabilities for business associates (BAs) Lawyer is considered a business

More information

SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the specific

More information

Procedure Title: TennDent HIPAA Security Awareness and Training

Procedure Title: TennDent HIPAA Security Awareness and Training Procedure Title: TennDent HIPAA Security Awareness and Training Number: TD-QMP-P-7011 Subject: Security Awareness and Training Primary Department: TennDent Effective Date of Procedure: 9/23/2011 Secondary

More information

Offsite Disaster Recovery Plan

Offsite Disaster Recovery Plan 1 Offsite Disaster Recovery Plan Offsite Disaster Recovery Plan Presented By: Natan Verkhovsky President Disty Portal Inc. 2 Offsite Disaster Recovery Plan Introduction This document is a comprehensive

More information

Cloud Computing. Chapter 10 Disaster Recovery and Business Continuity and the Cloud

Cloud Computing. Chapter 10 Disaster Recovery and Business Continuity and the Cloud Cloud Computing Chapter 10 Disaster Recovery and Business Continuity and the Cloud Learning Objectives Define and describe business continuity. Define and describe disaster recovery. Describe the benefits

More information

DISASTER RECOVERY PLAN

DISASTER RECOVERY PLAN DISASTER RECOVERY PLAN Section 1. Goals of a Disaster Recovery Plan The major goals of a disaster recovery plan are: To minimize interruptions to normal operations. To limit the extent of disruption and

More information

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050 BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050 Adopting Multnomah County HIPAA Security Policies and Directing the Appointment of Information System Security

More information

Lessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd

Lessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd Lessons Learned from Recent HIPAA and Big Data Breaches Briar Andresen Katie Ilten Ann Ladd Recent health care breaches Breach reports to OCR as of February 2015 1,144 breaches involving 500 or more individual

More information

Meaningful Use and Core Requirement 15

Meaningful Use and Core Requirement 15 Meaningful Use and Core Requirement 15 How can I comply the lack of time and staff... www.compliancygroup.com 1 Meaningful Use and Core Requirement 15 Meaningful Use Protection of Protected Health Information

More information

CONTINUITY AND RECOVERY PLANNING GUIDE

CONTINUITY AND RECOVERY PLANNING GUIDE CONTINUITY AND RECOVERY PLANNING GUIDE The Continuity Planning process is designed to assist an organization in determining action plans for disaster recovery or incident response. The process also aids

More information

Security Manual Template Policy and Procedure Manual Compliance Management Made Easy ISO 27000 / HIPAA / SOX / CobiT / FIPS 199 Compliant

Security Manual Template Policy and Procedure Manual Compliance Management Made Easy ISO 27000 / HIPAA / SOX / CobiT / FIPS 199 Compliant Brochure More information from http://www.researchandmarkets.com/reports/3302152/ Security Manual Template Policy and Procedure Manual Compliance Management Made Easy ISO 27000 / HIPAA / SOX / CobiT /

More information

The City of New York Office of the Comptroller Bureau of Financial Audit EDP Audit Division

The City of New York Office of the Comptroller Bureau of Financial Audit EDP Audit Division The City of New York Office of the Comptroller Bureau of Financial Audit EDP Audit Division WILLIAM C. THOMPSON, JR. Comptroller Follow-Up Report on the New York City Fire Department Arson Information

More information

2011 2012 Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec.

2011 2012 Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec. The OCR Auditors are coming - Are you next? What to Expect and How to Prepare On June 10, 2011, the U.S. Department of Health and Human Services Office for Civil Rights ( OCR ) awarded KPMG a $9.2 million

More information

Network Security for End Users in Health Care

Network Security for End Users in Health Care Network Security for End Users in Health Care Virginia Health Information Technology Regional Extension Center is funded by grant #90RC0022/01 from the Office of the National Coordinator for Health Information

More information

CHAPTER OSCEOLA COUNTY IDENTITY THEFT PREVENTION PROGRAM

CHAPTER OSCEOLA COUNTY IDENTITY THEFT PREVENTION PROGRAM INTRODUCTION CHAPTER OSCEOLA COUNTY IDENTITY THEFT PREVENTION PROGRAM The Osceola County Board of County Commissioners is committed to protecting consumers who do business with Osceola County, and as such

More information

HIPAA and Mental Health Privacy:

HIPAA and Mental Health Privacy: HIPAA and Mental Health Privacy: What Social Workers Need to Know Presenter: Sherri Morgan, JD, MSW Associate Counsel, NASW Legal Defense Fund and Office of Ethics & Professional Review 2010 National Association

More information

State HIPAA Security Policy State of Connecticut

State HIPAA Security Policy State of Connecticut Health Insurance Portability and Accountability Act State HIPAA Security Policy State of Connecticut Release 2.0 November 30 th, 2004 Table of Contents Executive Summary... 1 Policy Definitions... 3 1.

More information

INFORMATION SECURITY FOR YOUR AGENCY

INFORMATION SECURITY FOR YOUR AGENCY INFORMATION SECURITY FOR YOUR AGENCY Presenter: Chad Knutson Secure Banking Solutions, LLC CONTACT INFORMATION Dr. Kevin Streff Professor at Dakota State University Director - National Center for the Protection

More information

to EMR transition Contents

to EMR transition Contents Best Practices Guide HIPAA Primer series HEALTHCARE Iron Mountain Document Conversion Services The HIPAA-compliant approach to EMR transition Contents 3 EMR Transition: The Growing Importance of Document

More information

SITECATALYST SECURITY

SITECATALYST SECURITY SITECATALYST SECURITY Ensuring the Security of Client Data June 6, 2008 Version 2.0 CHAPTER 1 1 Omniture Security The availability, integrity and confidentiality of client data is of paramount importance

More information

H.I.P.A.A. Compliance Made Easy Products and Services

H.I.P.A.A. Compliance Made Easy Products and Services H.I.P.A.A Compliance Made Easy Products and Services Provided by: Prevare IT Solutions 100 Cummings Center Suite 225D Beverly, MA 01915 Info-HIPAA@prevare.com 877-232-9191 Dear Health Care Professional,

More information

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES HIPAA COMPLIANCE Achieving HIPAA Compliance with Security Professional Services The Health Insurance

More information

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Table of Contents Introduction... 1 1. Administrative Safeguards...

More information

OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the specific documents requested,

More information

University of Pittsburgh Security Assessment Questionnaire (v1.5)

University of Pittsburgh Security Assessment Questionnaire (v1.5) Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.5) Directions and Instructions for completing this assessment The answers provided

More information

Art Gross President & CEO HIPAA Secure Now! How to Prepare for the 2015 HIPAA Audits and Avoid Data Breaches

Art Gross President & CEO HIPAA Secure Now! How to Prepare for the 2015 HIPAA Audits and Avoid Data Breaches Art Gross President & CEO HIPAA Secure Now! How to Prepare for the 2015 HIPAA Audits and Avoid Data Breaches Speakers Phillip Long CEO at Business Information Solutions Art Gross President & CEO of HIPAA

More information

Print4 Solutions fully comply with all HIPAA regulations

Print4 Solutions fully comply with all HIPAA regulations HIPAA Compliance Print4 Solutions fully comply with all HIPAA regulations Print4 solutions do not access, store, process, monitor, or manage any patient information. Print4 manages and optimize printer

More information

Tufts Health Plan Corporate Continuity Strategy

Tufts Health Plan Corporate Continuity Strategy Tufts Health Plan Corporate Continuity Strategy July 2015 OVERVIEW The intent of this document is to provide external customers and auditors with a highlevel overview of the Tufts Health Plan Corporate

More information

by: Scott Baranowski Community Bank Auditors Group Best Practices in Auditing Record Retention, Safeguarding Paper Documents, GLBA and Privacy

by: Scott Baranowski Community Bank Auditors Group Best Practices in Auditing Record Retention, Safeguarding Paper Documents, GLBA and Privacy Community Bank Auditors Group Best Practices in Auditing Record Retention, Safeguarding Paper Documents, GLBA and Privacy June 10, 2015 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT

More information

The Must Have Tools To Address Your Compliance Challenge

The Must Have Tools To Address Your Compliance Challenge The Must Have Tools To Address Your Compliance Challenge Industry leading Education October 21 - Top 5 tools to help you achieve HIPAA compliance November 11 - Saving time and money through web-based benefits

More information

University of Illinois at Chicago Health Sciences Colleges Information Technology Group Security Policies Summary

University of Illinois at Chicago Health Sciences Colleges Information Technology Group Security Policies Summary University of Illinois at Chicago Health Sciences Colleges Information Technology Group Security Policies Summary This Summary was prepared March 2009 by Ian Huggins prior to HSC adoption of the most recent

More information

HIPAA and Cloud IT: What You Need to Know

HIPAA and Cloud IT: What You Need to Know HIPAA and Cloud IT: What You Need to Know A Guide for Healthcare Providers and Their Business Associates GDS WHITE PAPER HIPAA and Cloud IT: What You Need to Know As a health care provider or business

More information