Visit for more information. Copyright Online Tech All Rights Reserved. page 1 of 36

Size: px
Start display at page:

Download "Visit http://www.onlinetech.com/hipaa for more information. Copyright Online Tech 2012. All Rights Reserved. page 1 of 36"

Transcription

1 Copyright Online Tech All Rights Reserved. page 1 of 36

2 HIPAA Compliant Data Centers 1.0. Executive Summary Impact of HITECH and HIPAA on Data Centers What is a HIPAA Compliant Data Center? Administrative Safeguards Physical Safeguards Technical Safeguards Organizational Requirements Business Associate Agreements HIPAA Compliant Data Center Architecture Requirements Enhanced Security Outsource vs. In-House Hosting Benefits of Outsourcing Hosting Risks of Outsourcing Vendor Selection Criteria HIPAA Compliant Business Associates Other Key Data Center Considerations Conclusion References Questions to Ask Your HIPAA Hosting Provider Example BAA Data Center Standards Cheat Sheet...35 Copyright Online Tech All Rights Reserved. page 2 of 36

3 1.0. Executive Summary The increasing pressure to implement meaningful use, reduce healthcare costs, and improve care outcomes while still protecting patient interests has led to strategic review and overhaul by many healthcare providers and vendors. Evaluating outsourcing options to allow industry experts to manage parts of the healthcare IT components is an obvious part of the equation, and the intensive capital expense, human resource, security, and maintenance demands specific to data centers make these prime candidates for cost savings. However, balancing the resource benefits of outsourcing data center and hosting services with the risks of engaging an off-premise business associate is daunting in the wake of increasing PHI (protected health information) breaches and penalties. Ultimately, finding the best blend of resources that can fulfill the availability, integrity, and confidentiality requirements to protect ephi (electronic protected health information) - and thereby protecting the patients, covered entities, and business associates - is the challenge at hand. This white paper explores the impact of HITECH and HIPAA on data centers. It includes a description of a HIPAA compliant data center IT architecture, contractual requirements, benefits and risks of data center outsourcing, and vendor selection criteria Impact of HITECH and HIPAA on Data Centers Protecting the confidentiality, integrity, and availability of electronic protected health information (ephi) is the essence of the HIPAA Security Rule 1. Since data centers typically store, transmit, or process ephi, they must comply with the HITECH standards and citations to meet HIPAA compliance. The same risk analysis, administrative safeguards, physical safeguards, technical safeguards, and ongoing due diligence apply just as much in the data center as in a provider s facility. While there is some debate about the responsibilities of business associates for the protection of ephi, all indications point towards business associates being held as responsible as covered entities. Consider the latest notice of proposed rulemaking that speaks to the extension of responsibilities from covered entities to business associates: As with the Privacy Rule, the Security Rule requires covered entities to have contracts or other arrangements in place with their business associates that provide satisfactory assurances that the business associates will appropriately safeguard the electronic 1 U.S. Dept. of Health and Human Services, HIPAA Security Series: Basics of Risk Analysis and Risk Management; Copyright Online Tech All Rights Reserved. page 3 of 36

4 protected health information they receive, create, maintain, or transmit on behalf of the covered entities. 2 Moreover, both covered entities and business associates should bear in mind that prosecution by the Office of Civil Rights (OCR) under HITECH is not the only legal concern. The last year has witnessed an increase in state and consumer lawsuits against both covered entities and business associates. In January 2012, Minnesota Attorney General filed a lawsuit against Accretive Health, for failing to protect the confidentiality of over 23,000 patient healthcare records. 3 The safest and most diligent practice to protect ephi is to ensure that the same policies, risk management, safeguards, and ongoing compliance governance standards are followed no matter where ephi resides. This means that data centers, whether in-house or outsourced, need to fully embrace complete responsibility for ephi. In the areas of administrative safeguards, such as ongoing HIPAA awareness and training for all employees, healthcare providers tend to be stronger. In the areas of technical safeguards and PHI availability, 2 U.S. Dept. of Health and Human Services, Federal Register Part II; 3 Minnesota Attorney General, Attorney General Swanson Sues Accretive Health for Patient Privacy Violations; Copyright Online Tech All Rights Reserved. page 4 of 36

5 professional data center companies that invest extensively in redundant facility infrastructure and security may be the safer bet. Ideally, either a healthcare provider would have infinite resources to build and maintain multiple, high-availability data centers or a data center hosting business associate would have a thorough understanding of HIPAA compliance including a HIPAA security risk analysis and management, policies, training of all employees, and ongoing HIPAA compliance audits. While both ideals exist, they are in the minority. In these cases, the weighing of the pros and cons falls back to the risk analysis and management to choose the best option that will maintain ephi confidentiality, integrity, and availability What is a HIPAA Compliant Data Center? Data centers need to adhere to the administrative, physical, and technical safeguards and standards set forth by the HITECH act to be HIPAA compliant. Following is a brief review of the administrative, physical, and technical safeguards with specific notes applicable to data centers Administrative Safeguards The Security Management Process described under (a)(1) includes requirements for HIPAA Risk Analysis and Risk Management, which form the foundation upon which an entity s necessary security activities are built. (68 Fed. Reg ) 4 Start by reviewing the data center s HIPAA Report on Compliance, sometimes referred to as an HROC. Providers who maintain their own data centers are likely to have this included in their risk analysis and management plan already. This can serve as a useful point of comparison across the various HIPAA standards, citations, and implementation specifications when outsourcing to a third-party data center business associates. Data center providers who have invested in an independent HIPAA risk assessment should provide a copy of their HIPAA compliance report upon request, at least under NDA. When a data center business associate can provide a HIPAA compliance report, it will save covered entities (CEs) significant costs of evaluating HIPAA compliance, which should happen in advance of entering into a partnership. If a CE elects to outsource data center hosting services to a business associate that does not have, or does not provide, an independent HIPAA report on compliance available, the CEs will have to bear the burden of evaluating compliance and proving due diligence. Other Administrative Safeguards that should be in place in all data centers that store, transmit, or process ephi include: 4 U.S. Dept. of Health and Human Services, HIPAA Security Series: Security Standards: Basics of Risk Analysis and Risk Management; Copyright Online Tech All Rights Reserved. page 5 of 36

6 Assigned Security Responsibility (a)(2) Workforce Security (a)(3) Information Access Management (a)(4) Security Awareness and Training (a)(5) Security Incident Procedures (a)(6) Contingency Plan (a)(7) Evaluation (a)(8) Business Associate Contracts and Other Arrangements (b)(1) 3.2. Physical Safeguards 5 STANDARDS SECTIONS IMPLEMENTATION SPECIFICATIONS Facility Access Controls Workstation Use Workstation Security Device and Media Controls (a)(1) Contingency Operations Facility Security Plan Access Control and Validation Procedures Maintenance Records (b) (c) (d)(1) Disposal Media Re-use Accountability Data Backup and Storage Nothing beats an on-site visit to ascertain the level of security. Think of it this way: this data center might hold the data of hundreds, or thousands, of your patients. You want to feel the same sense of solid trust and ease from your visit - the same way you want your patients to feel towards their own care providers. As an extension of a covered entity, the business associate should foster a sense of expertise, careful procedure, and a willingness to communicate openly about questions and policies. Imagine the first night of sleep after moving your PHI to this place - will you sleep soundly, or lie awake in dread? Things to check for include the following: Two-factor authentication - If not personally escorted, anyone in the data center should be wearing a badge to identify them and need at least 2 forms of identification for access such as badge and access code, or biometric fingerprint scanner and badge. If 5 U.S. Dept. of Health and Human Services, HIPAA Security Series: Security Standards: Physical Safeguards; Copyright Online Tech All Rights Reserved. page 6 of 36

7 you go for a data center visit and are not asked to sign-in and wear a badge, security should be considered less than adequate. Prolific use of video surveillance - Ask to see the video logs and how long they are kept (should be at least 90 days). Visitor logging - The entries in the logbook should directly match the video surveillance tapes. Ask when the last independent auditor confirmed the match of visitor logs with the video archives. Ask who the auditor was and investigate the auditor s company to confirm their credibility. Procedure Documentation - Ask to review the documentation for the procedure to allow access by unannounced visit, phone call, or . Don t just ask the security or compliance officer - ask anyone. If there is a consistent policy and procedure in place, you should get a consistent and reassuring answer Technical Safeguards 6 STANDARDS SECTIONS IMPLEMENTATION SPECIFICATIONS Access Control (a)(1) Unique User Identification Emergency Access Procedure Automatic Logoff Encryption and Decryption Audit Controls (b) Integrity (c)(1) Mechanism to Authenticate Electronic Protected Health Information Person or Entity Authentication (d) Transmission Security (e)(1) Integrity Controls Encryption The HIPAA Security Rule does not require specific technology solutions, but it does outline the standards and implementation specifications. The Rule s intent is to allow covered entities the flexibility to determine which security measures are a good fit for their company, depending on size and different needs. 6 U.S. Dept. of Health and Human Services, HIPAA Security Series: Security Standards: Technical Safeguards; Copyright Online Tech All Rights Reserved. page 7 of 36

8 The HHS provides guidance around the implementation specifications below: Unique User Identification Assign a unique user ID to each employee that can allow your company to track user activity while the user is logged into an information system. Emergency Access Procedure Establish a written procedure outlining the protocol to access ephi in the event of an emergency, including policies around who needs access and possible ways to gain access. Automatic Logoff Automatic logoff should be implemented on every workstation with access to ephi after a certain period of inactivity. Encryption and Decryption This is not required, but instead recommended as a safeguard to be implemented only if deemed reasonable and appropriate for the covered entity. Determine which ephi or software programs are appropriate for encryption. Audit Controls This refers to implementing a system that logs and monitors activity on information systems with ephi. Authentication Intended to protect the integrity of ephi, the existing systems should have functions or a process to check for data integrity, such as digital signatures. When it comes to person or entity authentication, proof of identity should include a password or pin, smart card, token, key and/or biometrics (fingerprints, facial patterns or voice patterns). Transmission Security For integrity controls, the primary method to protect ephi is through the use of network communications protocols, although other methods include data or message authentication codes. Encryption is another option to consider after reviewing your company s methods of transmission, frequency of transmission, and potential issues found in your risk analysis Organizational Requirements 7 STANDARDS SECTIONS IMPLEMENTATION SPECIFICATIONS Business associate contracts or other arrangements Requirements for Group Health Plans (a)(1) Business Associate Contracts Other Arrangements (b)(1) Implementation Specifications Policies and Procedures Documentation (Time Limit, Availability and Updates) 7 U.S. Dept.of Health and Human Services, HIPAA Security Series: Security Standards: Organizational, Policies and Procedures and Documentation Requirements; Copyright Online Tech All Rights Reserved. page 8 of 36

9 The Organizational Requirements found in the HIPAA Security Rule concern contracts and agreements with business associates (BAs) and the policies, procedures and documentation guidelines for group health plans. Business Associate Contracts (or Agreements, BAA) This ensures business associates will implement the HIPAA safeguards to protect ephi they receive or maintain on behalf of the covered entity. It also ensures that any subcontractors they work with will also follow the safeguards. The agreement requires BAs to report all security incidents and allow contract termination if any violations occur (read more about BAAs below). Other Arrangements This is allowed only if the both the business associate and covered entity are government entities, and they enter into a memorandum of understanding (MOU) that addresses all of the objectives of a BAA. Group Health Plans The implementation specifications are the same as those required for BAAs (above). Required policies, procedures and documentation must be retained for a period of at least six years, be available via print or Intranet, and reviewed and updated based on environmental or operational changes that affect ephi security Business Associate Agreements Not only does an effective business associate agreement need to be in place between covered entities and their business associates; the contractors and vendors of the business associate must also share and sign business associate agreements if there is any potential of access to PHI data. 8 The business associate agreement (BAA) is the ideal place to clarify the roles and responsibilities between the covered entity and the business associate. For example, the OCR requires the following documentation in the event of a PHI breach: Documentation Documentation of the covered entity s admission, denial, or a statement indicating that the covered entity has obtained insufficient evidence to make a determination regarding the allegations. Documentation of an internal investigation conducted by the covered entity in response to the allegations including a copy of the incident report prepared as a result of the laptop and server theft. Documentation of the covered entity s corrective action taken or plan for actions the covered entity will take to prevent this type of incident from happening in the future, including documentation specifically addressing, if applicable: 8 U.S. Dept. of Health and Human Services, HIPAA Security Series: Security Standards: Organizational, Policies and Procedures and Documentation Requirements; Copyright Online Tech All Rights Reserved. page 9 of 36

10 o Sanctioning of the workforce member(s) who violated the Privacy and Security Rules, in accordance with the covered entity s current policies and procedures, and as required by the Privacy Rule. Re-training of appropriate workforce members. Mitigation of the harm alleged, as required by the Privacy Rule. HIPAA Policies and Procedures A copy of HIPAA policies and procedures related to the disclosure of and safeguarding of PHI and specifically EPHI. A copy of the policies and procedures implemented to safeguard the CE s facility and equipment. Physical Safeguards Evidence of physical safeguards implemented for computing devices to restrict PHI access. Business associate agreements and/or policies and procedures implemented to ensure Business associates have implemented the appropriate safeguards (if applicable). Risk Assessment A copy of the most recent risk assessment performed by or for the CE, per Security Rule requirements. Evidence of security awareness training for involved workforce members including training on workstation security. Evidence of the implementation of a mechanism to encrypt EPHI stored on the workstations. Breach Notification A copy of the written notification of the breach provided to the affected individuals. A copy of the written notification given to the media. This should include a list of all media sources to whom this notification was given and any media reports (news stories or articles) stemming from this notification. Much of the required documentation requires months of planning and implementation. If you sign a BAA today, and have a PHI breach tomorrow, are you confident that your data center can provide the necessary information to respond in a thorough and timely manner to the OCR? Copyright Online Tech All Rights Reserved. page 10 of 36

11 3.5. HIPAA Compliant Data Center Architecture The diagram below shows elements of a HIPAA compliant hosting architecture. To create this, we worked with Certified HIPAA Security Specialists and Certified HIPAA Professionals who matched each HITECH standard, specification, and implementation with a common technology application to meet Security Rule compliance. Each element is described in the following pages. Copyright Online Tech All Rights Reserved. page 11 of 36

12 Requirements Antivirus The Security Awareness and Training Standard of the HIPAA Security Rule (Section (a)(5)) 9 specifically calls out the need for Protection from Malicious Software. We all use antivirus on our laptops, so using this on a server operates under the same premise: safety and security for critical infrastructure. This is one of the most important elements of security you can buy for the money for a managed server. OS Patch Management Routine OS patch management is required in today s IT climate. And yes, there are many older servers, older applications, and just plain old implementations out there that IT administrators are scared to touch. These are, for example, the MS-SQL 2000 implementations that are connected to disparate systems, ERP systems, and other legacy applications that IT managers feel might break if patched. These are often unpatched due to lack of funding for application redesign, and sheer terror on the part of some IT managers to implement change for the security and good of the company. With all the security bulletins, holes, bugs, zero-day exploits, viruses, and other security vulnerabilities announced daily for operating systems, applications, and databases, a solid process is needed to design a patch process that safeguards all systems. This includes choosing one or more patch process tools, processes, and procedures, and then setting up a unified test, staging, and production environment to test the patches. Backup and Disaster Recovery The HIPAA Contingency Plan standard described in section (a)(7) 10 requires a data backup plan, disaster recovery plan, emergency mode operation plan, testing and revision procedures, and application and data criticality analysis. Part of proving due diligence is holding CEs and BAs responsible for ensuring PHI is not destroyed or lost in the event of a disaster. Offsite data backups are imperative and offsite disaster recovery is strongly recommended. Patient care is not a 9-5 job; a primary driver behind electronic health records is the portability and availability of patients records to health care providers around-the-clock. Availability means that PHI is always available, accessible and never lost. When a patient arrives in the emergency room at two o clock in the morning, the electronic health records need to be available so the physician can address the emergency with all of the patient s records at his fingertips. 9 U.S. Dept. of Health and Human Services, HIPAA Security Series: Security Standards: Administrative Safeguards; 10 U.S. Dept. of Health and Human Services, HIPAA Security Series: Security Standards: Organizational, Policies and Procedures and Documentation Requirements; Copyright Online Tech All Rights Reserved. page 12 of 36

13 Protecting healthcare data, and ensuring its availability means putting procedures in place to mitigate disasters, and having a solid plan in-hand to activate when a disaster occurs. The infrastructure to do this is defined by two perspectives: 1. Disaster Prevention - Putting all the tools in place to minimize the probability of an outage in the data center infrastructure, server hardware, software and network connectivity. 2. Disaster Recovery - Assuring that the applications and data can be recovered and restored in a reasonable timeframe to continue running the business and making patient data available if a disaster occurs in the primary data center. High Availability, Redundant Firewalls Firewalls can help meet both administrative safeguard requirements to protect PHI from malicious software ( (a) (5)) and the technical safeguard requirements to tightly control access to PHI ( (a) (1)). The data center should be protected by redundant, or high availability, firewalls so that if one fails due to a hardware, software, or power issue, a second firewall can still stand between PHI and a malicious attack. Intrusion detection and intrusion prevention capabilities should also supplement firewall protection, and are often a feature of many modern firewall and universal threat management appliances. Plan or evaluate with the knowledge that it s not a matter of if a firewall fails, it s when a firewall fails. Look for every single point of failure in the data center and plan high-availability redundancies anywhere they exist. For example, the firewalls should be plugged into separate power strips that are connected to separate power feeds in the data center. If the redundant firewalls are plugged into a single power strip that blows a breaker fuse, all redundancy is lost. High Availability, Redundant Routers Routers are responsible for passing data to and from the data center from the Internet. In order to ensure that PHI is always available, the data center should use redundant routers to ensure that data traffic can still continue when one router experiences a hardware, software or power failure. Routers should be powered by separate power strips connected to separate power feeds for true redundancy. High Availability, Redundant Internet Service Providers If the data center relies on a single Internet Service Provider (ISP), PHI availability will be at risk. Ask if the data center that will be protecting your PHI has separate ISPs that connect via different sides of the data center. Ask if the redundant service providers connect all the way to the data center directly through the same or disparate last-mile connections different last-mile fiber connections will provide enhanced redundancy. HIPAA Trained Staff and Documented Policies The most secure technologies are rendered useless without a culture of processes that ensures that secure policies and procedures are documented and consistently followed. Review of Copyright Online Tech All Rights Reserved. page 13 of 36

14 independent audit reports should reflect a foundation of secure policies that guide day-to-day operations. HIPAA compliance also requires that all staff receive HIPAA security training and ongoing security updates. Ask potential vendors if all members of their staff have received HIPAA security training, where HIPAA compliance documents and policies are kept (every employee should know), and the date of the last training and security update. A company with a culture of security and compliance will have answers readily at hand Enhanced Security The following section describes additional enhanced security measures a CE can put in place to further hedge against the risk of a PHI breach. While these enhanced protections come at an additional cost to the IT budget, the cost of cleaning-up the aftermath of a breach are far greater to the business. Two-Factor Authentication One of the weakest links in protecting PHI is the use of simple passwords. While it may seem like common sense that passwords based on a spouse s name, anniversary, or simple patterns like abc123 or are not sufficient to protect PHI, ensure there is a policy of using complex passwords of at least 8 characters that combines lower case letters, upper case letters, numbers, and special symbols. A policy of changing passwords regularly (every 90 days) is a good start. To protect against weak or stolen passwords, implement two-factor authentication. This requires multiple forms of identification for a login such as a code and a username/password combination. Biometric login systems may require a fingerprint along with a code or keycard. For the cloud and web-based applications, two-factor authentication systems require a username, password, and a code that is sent to a mobile device by phone call or text message. Ask your cloud provider if they provide dual-factor authentication services for VPN s and webbased logins or contract with a service such as Duo 11 to improve PHI protection. SSL Certificate (Web Apps) To secure PHI data in a web-based application, an SSL (Secure Socket Layer) certificate is a must. The SSL certificate is used by software that encrypts all data moving between two or more end-points (i.e. from a browser, to a server containing the application or website). Since many healthcare applications are now hosted in the cloud and accessed by browsers (Internet Explorer, Chrome, Firefox), the SSL certificate is essential to proper security. File Integrity Monitoring (FIM) File integrity monitoring refers to ensuring the integrity of the files on a server. The basic technique is the comparison of the current file to the known, safe baseline. While file changes are expected and within the normal realm of daily interaction and activity, there are a few key 11 Duo Security; Copyright Online Tech All Rights Reserved. page 14 of 36

15 changes that may trigger additional investigation such as a change of ownership, security settings, or configuration values. When the enhanced security of FIM makes sense, a separate server is often set up to perform this function using one of many third party software applications to monitor and evaluate file changes and alert administrators of any suspicious activity. Web Application Firewall (WAF) A web application firewall is specifically built to monitor website traffic for the transmission of sensitive data and potentially block any network traffic that does not fit within the allowable configuration. For PHI applications that involve a website where security is paramount, use of a WAF may make sense. It is a powerful tool in the security toolbox for consideration, and can prevent leakage of PHI data by unauthorized users. Encryption Encryption for data at rest and in transit is very strongly recommended. When transmitting PHI, encrypted data should be sent over an encrypted connection for ultimate security. When using encryption for PHI, one should follow the NIST (National Institute of Standards and Technology) Special Publication , Guide to Storage Encryption Technologies for End User Devices standards for encryption. 12 Data at rest constitutes data stored on servers or backup systems (tape or disk) while not in use. This data needs to be encrypted in case of disk theft or unauthorized access. Many data breaches are due to lost or stolen unencrypted portable devices (laptops or smartphones) - PHI should not be stored on portable devices, but instead in HIPAA compliant data centers that serve the data to mobile devices. That way, thousands of patient records aren t stored on any of your computing devices, but instead in a secure location that can be accessed through a mobile device. This greatly improves your PHI security - if you lose the device, you won t lose all of the sensitive data as well. Additionally, the HIPAA breach notification rule only requires reporting of unencrypted data breaches in cases where 500 individuals are affected. If your data is encrypted and you experience loss or theft of data, you are not required to notify the HHS, the media or any affected individuals NIST, Special Publication Revision 1, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule; 13 U.S. Department of Health and Human Services, Guidance to Render Unsecured Protected Health Information Unreadable, or Indecipherable to Unauthorized Individuals; Copyright Online Tech All Rights Reserved. page 15 of 36

16 4.0. Outsource vs. In-House Hosting 4.1. Benefits of Outsourcing Hosting Save on Costs Why would a covered entity with sensitive data outsource their hosting solution to a third-party? A HIPAA compliant hosting provider that has already passed an independent HIPAA audit can save time and money by eliminating the need to audit your vendor in addition to your own business. While it does not release you of the obligation and responsibility of meeting compliance, it helps you more readily achieve compliance and mitigate risk. Additionally, managed hosting allows your IT team to focus on the applications directly related to your business, not on the day-to-day details involved with server updates, data center infrastructure, network management and security which can more readily be outsourced to a trusted provider. Security A HIPAA compliant hosting provider can provide the latest tested and audited technology to help achieve compliance and secure your ephi. With a variety of required and recommended security methods, you can trust experienced, certified professionals to maintain, monitor and accurately generate logs of activity on your servers. Outsourcing allows you to benefit from the various levels of security that a quality hosting provider should have in place. These advantages include physical security, environmental controls, logged access and video surveillance, and multiple alarm systems to detect unauthorized access. Network security includes protection of sensitive infrastructure, including managed servers, cloud, power and network infrastructure built with redundant routers, switches and paired universal threat management devices to protect sensitive information. While the HITECH Act requires private accessibility on request by your patients, your outsourced hosting provider should never access PHI, but instead build, maintain and monitor the secure infrastructure that your sensitive information is stored and transmitted in. Availability The use of high-availability (HA) solutions in a fully redundant and compliant data center can allow clients to increase their uptime and PHI availability. Using an HA infrastructure can reduce the risk of business downtime due to a single point of failure. Outsourcing to a HIPAA hosting provider means your business can take advantage of your data center operator s design of Copyright Online Tech All Rights Reserved. page 16 of 36

17 power connections, UPS (Uninterruptible Power Supplies) systems, generators, air conditioning and networks. Flexibility Outsourcing allows you to benefit from the latest virtualization technologies, such as fifthgeneration VMware that dominates the market for applications that require a high degree of scalability. Choosing a high-performance managed cloud allows for the ability to scale servers up and down as needed to respond to the demands of end-users with fast deployment time Risks of Outsourcing However, the risks of outsourcing HIPAA compliant hosting to a service provider can mean extending your circle of trust to include a third-party vendor. These service providers, known as business associates (BAs), open your company up to the potential risk of a PHI breach. According to HHS.gov, 62 percent of the total number of patient records breached involved a business associate, increasing the need to thoroughly vet anyone that touches your PHI. The stakes for both covered entities and business associates is getting higher, with HHS now extending responsibility to protect PHI to all business associates throughout the chain of trust. States are also exercising their rights to prosecute business associates under other provisions besides the HITECH Act. HIPAA Breach Fines and Penalties A covered entity s lack of due diligence can result in costly fines and penalties. The fines and penalties for a HIPAA violation (a data breach, whether lost or stolen) range from $100 per violation with a maximum fee of $25,000 for repeat violations to $50,000 per violation with a maximum fee of $1.5 million. 14 The fine amount varies by different classification levels dependent on violation criteria, with minimum and maximum penalties for first-time/repeat violations and annual fees: 14 Office of Civil Rights, Federal Register Vol. 74, No. 209, Rules and Regulations; Copyright Online Tech All Rights Reserved. page 17 of 36

18 HIPAA Violation Types and Penalties 15 VIOLATION TYPE MIN. PENALTY MAX. PENALTY Individual didn t know they violated HIPAA Reasonable cause and not willful neglect Willful neglect but corrected with time Willful neglect and is not corrected $100/violation; annual max of $25,000/repeat violations $1,000/violation; annual max of $100,000/repeat violations $10,000/violation; annual max of $250,000/repeat violations $50,000/violation; annual max of $1.5 million $50,000/violation; annual max of $1.5 million $50,000/violation; annual max of $1.5 million $50,000/violation; annual max of $1.5 million $50,000/violation; annual max of $1.5 million Another category of a HIPAA violation is determined by covered entities and individuals that knowingly breached the HIPAA regulations for these, criminal penalties apply. The maximum offense is a HIPAA breach committed with intent to sell, transfer or use individually identifiable health information for personal/financial gain or malicious harm, resulting in fines of $250,000 and imprisonment for up to ten years. Ultimately, covered entities are held responsible when it comes to monetary and reputational consequences, although responsibility will extend to include business associate in recent proposed revisions to the HIPAA rules. 15 American Medical Association, HIPAA Violations and Enforcement; Copyright Online Tech All Rights Reserved. page 18 of 36

19 5.0. Vendor Selection Criteria 5.1. HIPAA Compliant Business Associates When a covered entity decides to outsource HIPAA compliant hosting to a business associate, they need to look for certain indicators of compliance to ensure due diligence in vetting their service provider. Due diligence can help a covered entity prevent a potential data breach resulting in costly fines and reputational and business damage. HIPAA Report on Compliance (HROC) As the number of reported data breaches and the cost of these data breaches to the healthcare industry rise, it becomes imperative for a covered entity to select business associates that have invested in an independent audit and can provide a copy of their audit report to ensure they are following compliant policies and procedures. Ask your HIPAA hosting provider if they can provide a copy of their independent audit report (also known as a HIPAA Report on Compliance, HROC), stating they are compliant across all 54 HIPAA citations, 136 audited components and 19 standards. HIPAA Certification vs. Compliance Beware of data center operators that claim to be HIPAA certified. There is no governing body or federally recognized HIPAA certification, for covered entities or business associates alike. The correct term and usage is HIPAA compliant, meaning their policies, procedures, technology and staff implement security controls that are aligned with the HIPAA rules. While, in some cases, certification may mean they have taken an unofficial exam and passed with knowledge of HIPAA-related material, it does not mean their facilities, staff or solutions are actually compliant with the HIPAA standards. It also does not mean using their services will make your company compliant. Other Data Center Audits While an HROC is specific to healthcare and the protection of PHI, other data center audits can give you additional guidance and insight into a vendor s ongoing compliance and level of operating standards, as well as the quality of service you can expect to receive. SAS The Statement on Auditing Standard No. 70 was originally used to measure a service provider s controls related to financial reporting and recordkeeping. Two types are recognized by the AICPA (American Institute of CPAs) - Type 1 reports on a 16 American Institute of CPAs, SAS No. 70 Transformed; onserviceorganizations.aspx Copyright Online Tech All Rights Reserved. page 19 of 36

20 company s description of their operational controls, while Type 2 includes an auditor s opinion on how effective these controls are over a specified period of time. In both cases, keep in mind that the audited company gets to specify the controls that they will be audited against. Some specify only a handful of weak controls. Others specify dozens of strong controls. Make sure you read the details of the controls. SSAE 16 - The Statement on Standards for Attestation Engagements No. 16 replaced SAS 70 in June A SSAE 16 audit measures the controls relevant to financial reporting. Type 1 reports on a data center s description and assertion of controls, as reported by the company. Type 2 provides a description of an auditor s test the accuracy of the controls and the implementation and effectiveness of controls over a specified period of time. No two SSAE 16 audit reports are the same as there is no standard of controls. Make sure you read the details of the controls. SOC One of the three new Service Organization Controls (SOC) reports developed by the AICPA, this report measures the controls of a data center as relevant to financial reporting. It measures the same controls as an SSAE 16 audit. SOC This report is a very detailed account of the technical aspects as they relate to controls specifically concerning IT and data center server operators. The five controls include security, availability, processing integrity (ensuring system accuracy, completion and authorization), confidentiality and privacy. There are two types: Type 1 reports on a data center s system and suitability of its design of controls, as reported by the company. Type 2 includes everything in Type 1, with the addition of verification of an auditor's opinion on the operating effectiveness of the controls. This is the first AICPA audit to begin standardizing controls so there is less variety between reports. However, since every audit, auditor, and company are different, it is wise to read the details of the report don t take it for granted. SOC This report includes the auditor s opinion of SOC 2 components with an additional seal of approval to be used on websites and other documents. The report is less detailed and technical than a SOC 2 report. PCI DSS 20 - The Payment Card Industry Data Security Standards was created and implemented by major credit card issuers and it applies to companies that collect, store, process and transmit cardholder data. Data center operators that host cardholder data need to have undergone a PCI audit to achieve an attestation of compliance report (the 17 American Institute of CPAs, SOC 1: Report on Controls at a Service Organization Relevant to User Entities' Internal Control over Financial Reporting; 18 American Institute of CPAs, SOC 2: Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy; 19 American Institute of CPAs, SOC 3: Trust Services Report for Service Organizations; 20 The PCI Security Standards Council, PCI SSC Data Security Standards Overview; https://www.pcisecuritystandards.org/security_standards/ Copyright Online Tech All Rights Reserved. page 20 of 36

Healthcare Compliance Solutions

Healthcare Compliance Solutions Healthcare Compliance Solutions Let Protected Trust be your Safe Harbor In the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH), the U.S. Department of Health and Human

More information

HIPAA Security Alert

HIPAA Security Alert Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information

More information

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This

More information

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com HIPAA Privacy Rule Sets standards for confidentiality and privacy of individually

More information

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics HIPAA Security S E R I E S Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical

More information

HIPAA Compliance Guide

HIPAA Compliance Guide HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care

More information

HIPAA Security Rule Safeguards Recommended Standards Developed by: USF HIPAA Security Team May 12, 2005

HIPAA Security Rule Safeguards Recommended Standards Developed by: USF HIPAA Security Team May 12, 2005 INTRODUCTION HIPAA Security Rule Safeguards Recommended Standards Developed by: USF HIPAA Security Team May 12, 2005 The Health Insurance Portability and Accountability Act (HIPAA) Security Rule, as a

More information

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 5. 2. Security Standards - Organizational, Security Policies Standards & Procedures, - Administrative and Documentation Safeguards

More information

Healthcare Compliance Solutions

Healthcare Compliance Solutions Privacy Compliance Healthcare Compliance Solutions Trust and privacy are essential for building meaningful human relationships. Let Protected Trust be your Safe Harbor The U.S. Department of Health and

More information

Datto Compliance 101 1

Datto Compliance 101 1 Datto Compliance 101 1 Overview Overview This document provides a general overview of the Health Insurance Portability and Accounting Act (HIPAA) compliance requirements for Managed Service Providers (MSPs)

More information

HIPAA Security Rule Compliance

HIPAA Security Rule Compliance HIPAA Security Rule Compliance Caryn Reiker MAXIS360 HIPAA Security Rule Compliance what is it and why you should be concerned about it Table of Contents About HIPAA... 2 Who Must Comply... 2 The HIPAA

More information

Security Is Everyone s Concern:

Security Is Everyone s Concern: Security Is Everyone s Concern: What a Practice Needs to Know About ephi Security Mert Gambito Hawaii HIE Compliance and Privacy Officer July 26, 2014 E Komo Mai! This session s presenter is Mert Gambito

More information

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES HIPAA COMPLIANCE Achieving HIPAA Compliance with Security Professional Services The Health Insurance

More information

VMware vcloud Air HIPAA Matrix

VMware vcloud Air HIPAA Matrix goes to great lengths to ensure the security and availability of vcloud Air services. In this effort VMware has completed an independent third party examination of vcloud Air against applicable regulatory

More information

HIPAA 101. March 18, 2015 Webinar

HIPAA 101. March 18, 2015 Webinar HIPAA 101 March 18, 2015 Webinar Agenda Acronyms to Know HIPAA Basics What is HIPAA and to whom does it apply? What is protected by HIPAA? Privacy Rule Security Rule HITECH Basics Breaches and Responses

More information

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Table of Contents Introduction... 1 1. Administrative Safeguards...

More information

HIPAA COMPLIANCE AND DATA PROTECTION. sales@eaglenetworks.it +39 030 201.08.25 Page 1

HIPAA COMPLIANCE AND DATA PROTECTION. sales@eaglenetworks.it +39 030 201.08.25 Page 1 HIPAA COMPLIANCE AND DATA PROTECTION sales@eaglenetworks.it +39 030 201.08.25 Page 1 CONTENTS Introduction..... 3 The HIPAA Security Rule... 4 The HIPAA Omnibus Rule... 6 HIPAA Compliance and EagleHeaps

More information

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist HIPAA Omnibus Rule Overview Presented by: Crystal Stanton MicroMD Marketing Communication Specialist 1 HIPAA Omnibus Rule - Agenda History of the Omnibus Rule What is the HIPAA Omnibus Rule and its various

More information

FormFire Application and IT Security. White Paper

FormFire Application and IT Security. White Paper FormFire Application and IT Security White Paper Contents Overview... 3 FormFire Corporate Security Policy... 3 Organizational Security... 3 Infrastructure and Security Team... 4 Application Development

More information

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions Table of Contents Understanding HIPAA Privacy and Security... 1 What

More information

2011 2012 Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec.

2011 2012 Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec. The OCR Auditors are coming - Are you next? What to Expect and How to Prepare On June 10, 2011, the U.S. Department of Health and Human Services Office for Civil Rights ( OCR ) awarded KPMG a $9.2 million

More information

Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE

Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE [ Hosting for Healthcare: Addressing the Unique Issues of Health IT & Achieving End-to-End Compliance

More information

Preparing for the HIPAA Security Rule

Preparing for the HIPAA Security Rule A White Paper for Health Care Professionals Preparing for the HIPAA Security Rule Introduction The Health Insurance Portability and Accountability Act (HIPAA) comprises three sets of standards transactions

More information

Why Lawyers? Why Now?

Why Lawyers? Why Now? TODAY S PRESENTERS Why Lawyers? Why Now? New HIPAA regulations go into effect September 23, 2013 Expands HIPAA safeguarding and breach liabilities for business associates (BAs) Lawyer is considered a business

More information

Five keys to a more secure data environment

Five keys to a more secure data environment Five keys to a more secure data environment A holistic approach to data infrastructure security Compliance professionals know better than anyone how compromised data can lead to financial and reputational

More information

HIPAA Compliance: Are you prepared for the new regulatory changes?

HIPAA Compliance: Are you prepared for the new regulatory changes? HIPAA Compliance: Are you prepared for the new regulatory changes? Baker Tilly CARIS Innovation, Inc. April 30, 2013 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed

More information

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant 1 HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant Introduction U.S. healthcare laws intended to protect patient information (Protected Health Information or PHI) and the myriad

More information

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification Type of Policy and Procedure Comments Completed Privacy Policy to Maintain and Update Notice of Privacy Practices

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

University of Pittsburgh Security Assessment Questionnaire (v1.5)

University of Pittsburgh Security Assessment Questionnaire (v1.5) Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.5) Directions and Instructions for completing this assessment The answers provided

More information

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable

More information

M E M O R A N D U M. Definitions

M E M O R A N D U M. Definitions M E M O R A N D U M DATE: November 10, 2011 TO: FROM: RE: Krevolin & Horst, LLC HIPAA Obligations of Business Associates In connection with the launch of your hosted application service focused on practice

More information

HIPAA Compliance Guide

HIPAA Compliance Guide HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care

More information

What s New with HIPAA? Policy and Enforcement Update

What s New with HIPAA? Policy and Enforcement Update What s New with HIPAA? Policy and Enforcement Update HHS Office for Civil Rights New Initiatives Precision Medicine Initiative (PMI), including Access Guidance Cybersecurity Developer portal NICS Final

More information

Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and

Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and procedures to govern who has access to electronic protected

More information

HIPAA COMPLIANCE AND

HIPAA COMPLIANCE AND INTRONIS CLOUD BACKUP & RECOVERY HIPAA COMPLIANCE AND DATA PROTECTION CONTENTS Introduction 3 The HIPAA Security Rule 4 The HIPAA Omnibus Rule 6 HIPAA Compliance and Intronis Cloud Backup and Recovery

More information

HIPAA Security COMPLIANCE Checklist For Employers

HIPAA Security COMPLIANCE Checklist For Employers Compliance HIPAA Security COMPLIANCE Checklist For Employers All of the following steps must be completed by April 20, 2006 (April 14, 2005 for Large Health Plans) Broadly speaking, there are three major

More information

OCR s Anatomy: HIPAA Breaches, Investigations, and Enforcement

OCR s Anatomy: HIPAA Breaches, Investigations, and Enforcement OCR s Anatomy: HIPAA Breaches, Investigations, and Enforcement Clinton Mikel The Health Law Partners, P.C. Alessandra Swanson U.S. Department of Health and Human Services - Office for Civil Rights Disclosure

More information

Top Ten Technology Risks Facing Colleges and Universities

Top Ten Technology Risks Facing Colleges and Universities Top Ten Technology Risks Facing Colleges and Universities Chris Watson, MBA, CISA, CRISC Manager, Internal Audit and Risk Advisory Services cwatson@schneiderdowns.com April 23, 2012 Overview Technology

More information

Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance

Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance White Paper Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance Troy Herrera Sr. Field Solutions Manager Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA

More information

Security Compliance, Vendor Questions, a Word on Encryption

Security Compliance, Vendor Questions, a Word on Encryption Security Compliance, Vendor Questions, a Word on Encryption Alexis Parsons, RHIT, CPC, MA Director, Health Information Services Security/Privacy Officer Shasta Community Health Center aparsons@shastahealth.org

More information

HIPAA Privacy & Security White Paper

HIPAA Privacy & Security White Paper HIPAA Privacy & Security White Paper Sabrina Patel, JD +1.718.683.6577 sabrina@captureproof.com Compliance TABLE OF CONTENTS Overview 2 Security Frameworks & Standards 3 Key Security & Privacy Elements

More information

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011 Nationwide Review of CMS s HIPAA Oversight Brian C. Johnson, CPA, CISA Wednesday, January 19, 2011 1 WHAT I DO Manage Region IV IT Audit and Advance Audit Technique Staff (AATS) IT Audit consists of 8

More information

Ensuring HIPAA Compliance with eztechdirect Online Backup and Archiving Services

Ensuring HIPAA Compliance with eztechdirect Online Backup and Archiving Services Ensuring HIPAA Compliance with eztechdirect Online Backup and Archiving Services Introduction Patient privacy continues to be a chief topic of concern as technology continues to evolve. Now that the majority

More information

Secure HIPAA Compliant Cloud Computing

Secure HIPAA Compliant Cloud Computing BUSINESS WHITE PAPER Secure HIPAA Compliant Cloud Computing Step-by-step guide for achieving HIPAA compliance and safeguarding your PHI in a cloud computing environment Step-by-Step Guide for Choosing

More information

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing HIPAA Omnibus Rule Practice Impact Kristen Heffernan MicroMD Director of Prod Mgt and Marketing 1 HIPAA Omnibus Rule Agenda History of the Rule HIPAA Stats Rule Overview Use of Personal Health Information

More information

HIPAA: In Plain English

HIPAA: In Plain English HIPAA: In Plain English Material derived from a presentation by Kris K. Hughes, Esq. Posted with permission from the author. The Health Insurance Portability and Accountability Act of 1996 (HIPAA), Pub.

More information

PROTECTING YOUR VOICE SYSTEM IN THE CLOUD

PROTECTING YOUR VOICE SYSTEM IN THE CLOUD PROTECTING YOUR VOICE SYSTEM IN THE CLOUD Every enterprise deserves to know what its vendors are doing to protect the data and systems entrusted to them. Leading IVR vendors in the cloud, like Angel, consider

More information

The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance

The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance Date: 07/19/2011 The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance PCI and HIPAA Compliance Defined Understand

More information

Things You Need to Know About Cloud Backup

Things You Need to Know About Cloud Backup Things You Need to Know About Cloud Backup Over the last decade, cloud backup, recovery and restore (BURR) options have emerged as a secure, cost-effective and reliable method of safeguarding the increasing

More information

Security Controls for the Autodesk 360 Managed Services

Security Controls for the Autodesk 360 Managed Services Autodesk Trust Center Security Controls for the Autodesk 360 Managed Services Autodesk strives to apply the operational best practices of leading cloud-computing providers around the world. Sound practices

More information

Projectplace: A Secure Project Collaboration Solution

Projectplace: A Secure Project Collaboration Solution Solution brief Projectplace: A Secure Project Collaboration Solution The security of your information is as critical as your business is dynamic. That s why we built Projectplace on a foundation of the

More information

COMPLIANCE ALERT 10-12

COMPLIANCE ALERT 10-12 HAWAII HEALTH SYSTEMS C O R P O R A T I O N "Touching Lives Every Day COMPLIANCE ALERT 10-12 HIPAA Expansion under the American Recovery and Reinvestment Act of 2009 The American Recovery and Reinvestment

More information

State HIPAA Security Policy State of Connecticut

State HIPAA Security Policy State of Connecticut Health Insurance Portability and Accountability Act State HIPAA Security Policy State of Connecticut Release 2.0 November 30 th, 2004 Table of Contents Executive Summary... 1 Policy Definitions... 3 1.

More information

Data Management Policies. Sage ERP Online

Data Management Policies. Sage ERP Online Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...

More information

Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0

Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0 Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0 Unless otherwise stated, these Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies

More information

HIPAA Compliance The Time is Now Changes on the Horizon: The Final Regulations on Privacy and Security. May 7, 2013

HIPAA Compliance The Time is Now Changes on the Horizon: The Final Regulations on Privacy and Security. May 7, 2013 HIPAA Compliance The Time is Now Changes on the Horizon: The Final Regulations on Privacy and Security May 7, 2013 Presenters James Clay President Employee Benefits & HR Consulting The Miller Group jimc@millercares.com

More information

WHITE PAPER. HIPAA-Compliant Data Backup and Disaster Recovery

WHITE PAPER. HIPAA-Compliant Data Backup and Disaster Recovery WHITE PAPER HIPAA-Compliant Data Backup and Disaster Recovery DOCUMENT INFORMATION HIPAA-Compliant Data Backup and Disaster Recovery PRINTED March 2011 COPYRIGHT Copyright 2011 VaultLogix, LLC. All Rights

More information

Mobile Medical Devices and BYOD: Latest Legal Threat for Providers

Mobile Medical Devices and BYOD: Latest Legal Threat for Providers Presenting a live 90-minute webinar with interactive Q&A Mobile Medical Devices and BYOD: Latest Legal Threat for Providers Developing a Comprehensive Usage Strategy to Safeguard Health Information and

More information

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the

More information

Bridging the HIPAA/HITECH Compliance Gap

Bridging the HIPAA/HITECH Compliance Gap CyberSheath Healthcare Compliance Paper www.cybersheath.com -65 Bridging the HIPAA/HITECH Compliance Gap Security insights that help covered entities and business associates achieve compliance According

More information

HIPAA and HITECH Compliance for Cloud Applications

HIPAA and HITECH Compliance for Cloud Applications What Is HIPAA? The healthcare industry is rapidly moving towards increasing use of electronic information systems - including public and private cloud services - to provide electronic protected health

More information

CHIS, Inc. Privacy General Guidelines

CHIS, Inc. Privacy General Guidelines CHIS, Inc. and HIPAA CHIS, Inc. provides services to healthcare facilities and uses certain protected health information (PHI) in connection with performing these services. Therefore, CHIS, Inc. is classified

More information

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS Thank you for taking the time to fill out the privacy & security checklist. Once completed, this checklist will help us get a better

More information

HIPAA Compliance Review Analysis and Summary of Results

HIPAA Compliance Review Analysis and Summary of Results HIPAA Compliance Review Analysis and Summary of Results Centers for Medicare & Medicaid Services (CMS) Office of E-Health Standards and Services (OESS) Reviews 2008 Table of Contents Introduction 1 Risk

More information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1

More information

Table of Contents INTRODUCTION AND PURPOSE 1

Table of Contents INTRODUCTION AND PURPOSE 1 HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 ( HIPAA ) COMPLIANCE PROGRAM Adopted December 2008: Revised February 2009, May, 2012, and August 2013 Table of Contents INTRODUCTION AND PURPOSE

More information

Client Security Risk Assessment Questionnaire

Client Security Risk Assessment Questionnaire Select the appropriate answer from the drop down in the column, and provide a brief description in the section. 1 Do you have a member of your organization with dedicated information security duties? 2

More information

HIPAA PRIVACY AND SECURITY AWARENESS

HIPAA PRIVACY AND SECURITY AWARENESS HIPAA PRIVACY AND SECURITY AWARENESS Introduction The Health Insurance Portability and Accountability Act (known as HIPAA) was enacted by Congress in 1996. HIPAA serves three main purposes: To protect

More information

Ensuring HIPAA Compliance with Pros 4 Technology Online Backup and Archiving Services

Ensuring HIPAA Compliance with Pros 4 Technology Online Backup and Archiving Services Ensuring HIPAA Compliance with Pros 4 Technology Online Backup and Archiving Services Introduction Patient privacy has become a major topic of concern over the past several years. With the majority of

More information

Lessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd

Lessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd Lessons Learned from Recent HIPAA and Big Data Breaches Briar Andresen Katie Ilten Ann Ladd Recent health care breaches Breach reports to OCR as of February 2015 1,144 breaches involving 500 or more individual

More information

Ensuring HIPAA Compliance with AcclaimVault Online Backup and Archiving Services

Ensuring HIPAA Compliance with AcclaimVault Online Backup and Archiving Services Ensuring HIPAA Compliance with AcclaimVault Online Backup and Archiving Services 1 Contents 3 Introduction 5 The HIPAA Security Rule 7 HIPAA Compliance & AcclaimVault Backup 8 AcclaimVault Security and

More information

Compliance Challenges. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard. Increased Audits & On-site Investigations

Compliance Challenges. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard. Increased Audits & On-site Investigations Enabling a HITECH & HIPAA Compliant Organization: Addressing Meaningful Use Mandates & Ensuring Audit Readiness Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard Compliance Mandates Increased

More information

FAQ: HIPAA AND CLOUD COMPUTING (v1.0)

FAQ: HIPAA AND CLOUD COMPUTING (v1.0) FAQ: HIPAA AND CLOUD COMPUTING (v1.0) 7 August 2013 Cloud computing outsourcing core infrastructural computing functions to dedicated providers holds great promise for health care. It can result in more

More information

Overview of the HIPAA Security Rule

Overview of the HIPAA Security Rule Office of the Secretary Office for Civil Rights () Overview of the HIPAA Security Rule Office for Civil Rights Region IX Alicia Cornish, EOS Sheila Fischer, Supervisory EOS Topics Upon completion of this

More information

PCI DSS COMPLIANCE DATA

PCI DSS COMPLIANCE DATA PCI DSS COMPLIANCE DATA AND PROTECTION EagleHeaps FROM CONTENTS Overview... 2 The Basics of PCI DSS... 2 PCI DSS Compliance... 4 The Solution Provider Role (and Accountability).... 4 Concerns and Opportunities

More information

Privacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by:

Privacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by: HIPAA Privacy Officer Orientation Presented by: Cathy Montgomery, RN Privacy Officer Job Description Serve as leader Develop Policies and Procedures Train staff Monitor activities Manage Business Associates

More information

Nine Network Considerations in the New HIPAA Landscape

Nine Network Considerations in the New HIPAA Landscape Guide Nine Network Considerations in the New HIPAA Landscape The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Omnibus Final Rule, released January 2013, introduced some significant

More information

HIPAA Secure Now! How MSPs Can Profit From Selling HIPAA security services

HIPAA Secure Now! How MSPs Can Profit From Selling HIPAA security services HIPAA Secure Now! How MSPs Can Profit From Selling HIPAA security services How MSPs can profit from selling HIPAA security services Managed Service Providers (MSP) can use the Health Insurance Portability

More information

HIPAA Security. assistance with implementation of the. security standards. This series aims to

HIPAA Security. assistance with implementation of the. security standards. This series aims to HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical

More information

Payment Card Industry Data Security Standard

Payment Card Industry Data Security Standard Symantec Managed Security Services support for IT compliance Solution Overview: Symantec Managed Services Overviewview The (PCI DSS) was developed to facilitate the broad adoption of consistent data security

More information

HIPAA Information Security Overview

HIPAA Information Security Overview HIPAA Information Security Overview Security Overview HIPAA Security Regulations establish safeguards for protected health information (PHI) in electronic format. The security rules apply to PHI that is

More information

The CIO s Guide to HIPAA Compliant Text Messaging

The CIO s Guide to HIPAA Compliant Text Messaging The CIO s Guide to HIPAA Compliant Text Messaging Executive Summary The risks associated with sending Electronic Protected Health Information (ephi) via unencrypted text messaging are significant, especially

More information

HIPAA PRIVACY AND SECURITY FOR EMPLOYERS

HIPAA PRIVACY AND SECURITY FOR EMPLOYERS HIPAA PRIVACY AND SECURITY FOR EMPLOYERS Agenda Background and Enforcement HIPAA Privacy and Security Rules Breach Notification Rules HPID Number Why Does it Matter HIPAA History HIPAA Title II Administrative

More information

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits HIPAA Breaches, Security Risk Analysis, and Audits Derrick Hill Senior Health IT Advisor Kentucky REC Why Does Privacy and Security Matter? Trust Who Must Comply with HIPAA Rules? Covered Entities (CE)

More information

SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION

SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION Please Note: 1. THIS IS NOT A ONE-SIZE-FITS-ALL OR A FILL-IN-THE BLANK COMPLIANCE PROGRAM.

More information

HIPAA Privacy & Breach Notification Training for System Administration Business Associates

HIPAA Privacy & Breach Notification Training for System Administration Business Associates HIPAA Privacy & Breach Notification Training for System Administration Business Associates Barbara M. Holthaus privacyofficer@utsystem.edu Office of General Counsel University of Texas System April 10,

More information

HIPAA ephi Security Guidance for Researchers

HIPAA ephi Security Guidance for Researchers What is ephi? ephi stands for Electronic Protected Health Information (PHI). It is any PHI that is stored, accessed, transmitted or received electronically. 1 PHI under HIPAA means any information that

More information

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation View the online version at http://us.practicallaw.com/7-523-1520 Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation Melissa J. Krasnow, Dorsey & Whitney LLP

More information

HIPAA Security Rule Changes and Impacts

HIPAA Security Rule Changes and Impacts HIPAA Security Rule Changes and Impacts Susan A. Miller, JD Tony Brooks, CISA, CRISC HIPAA in a HITECH WORLD American Health Lawyers Association March 22, 2013 Baltimore, MD Agenda I. Introduction II.

More information

Autodesk PLM 360 Security Whitepaper

Autodesk PLM 360 Security Whitepaper Autodesk PLM 360 Autodesk PLM 360 Security Whitepaper May 1, 2015 trust.autodesk.com Contents Introduction... 1 Document Purpose... 1 Cloud Operations... 1 High Availability... 1 Physical Infrastructure

More information

plantemoran.com What School Personnel Administrators Need to know

plantemoran.com What School Personnel Administrators Need to know plantemoran.com Data Security and Privacy What School Personnel Administrators Need to know Tomorrow s Headline Let s hope not District posts confidential data online (Tech News, May 18, 2007) In one of

More information

FACT SHEET: Ransomware and HIPAA

FACT SHEET: Ransomware and HIPAA FACT SHEET: Ransomware and HIPAA A recent U.S. Government interagency report indicates that, on average, there have been 4,000 daily ransomware attacks since early 2016 (a 300% increase over the 1,000

More information

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster Security Standards Symantec shall maintain administrative, technical, and physical safeguards for the Symantec Network designed to (i) protect the security and integrity of the Symantec Network, and (ii)

More information

SECURITY RISK ASSESSMENT SUMMARY

SECURITY RISK ASSESSMENT SUMMARY Providers Business Name: Providers Business Address: City, State, Zip Acronyms NIST FIPS PHI EPHI BA CE EHR HHS IS National Institute of Standards and Technology Federal Information Process Standards Protected

More information

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice Appendix 4-2: Administrative, Physical, and Technical Safeguards Breach Notification Rule How Use this Assessment The following sample risk assessment provides you with a series of sample questions help

More information

An Oracle White Paper December 2010. Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance

An Oracle White Paper December 2010. Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance An Oracle White Paper December 2010 Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance Executive Overview... 1 Health Information Portability and Accountability Act Security

More information

Our Cloud Offers You a Brighter Future

Our Cloud Offers You a Brighter Future Our Cloud Offers You a Brighter Future Qube Global Software Cloud Services are used by many diverse organisations including financial institutions, international service providers, property companies,

More information

HIPAA and Cloud IT: What You Need to Know

HIPAA and Cloud IT: What You Need to Know HIPAA and Cloud IT: What You Need to Know A Guide for Healthcare Providers and Their Business Associates GDS WHITE PAPER HIPAA and Cloud IT: What You Need to Know As a health care provider or business

More information