MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessment Series WEBINAR 3

Size: px
Start display at page:

Download "MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessment Series WEBINAR 3"

Transcription

1 In partnership with MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessment Series WEBINAR 3 MEANINGFUL USE REQUIREMENTS FOR FQHCS FROM A SECURITY RISK ASPECT March 6, 2014 Presented by: Jay Trinckes, CISO Karen Dalton, QI Coordinator

2 2 Table of Contents Table of Contents... 2 About MPCA... 3 About OSIS... 3 Services... 3 Presenter Bio... 4 Co-Presenter Bio... 4 Webinar Objectives... 5 Meaningful Use Requirements... 5 Security Management Process... 6 Risk Analysis... 7 Risk Management... 7 Performing a Risk Assessment... 7 Definitions... 8 OCR Guidance... 9 Formal Analysis... 9 Levels of Risks Risk Chart Steps to an Assessment Evaluation OSIS Risk Assessment Summary Services References/Sources... 14

3 About MPCA Michigan Primary Care Association (MPCA) Has been the voice for Health Centers and other community-based providers in Michigan since It is a leader in building a healthy society in which all residents have convenient and affordable access to quality health care. MPCA s mission is to promote, support, and develop comprehensive, accessible, and affordable quality community-based primary care services to everyone in Michigan About OSIS Ohio Shared Information Services, Inc. (OSIS) We are a 501(c)3 non-profit organization that partners with Federally Qualified Health Centers (FQHCs) to provide IT and security related services to improve the quality of care delivered to the underserved population. Our security division has professionals on staff dedicated to providing information security services to transform healthcare. OSIS started in December 2000 when three (3) Federally Qualified Health Centers came together to share their medical IT initiatives. They received a grant from the Health Resources and Services Administration (HRSA) to launch OSIS. OSIS has since grown to become one of the few full-service Health Center Controlled Networks in the country. OSIS has a staff of sixty-eight (68) highly experienced professionals dedicated to serving FQHCs, Community Behavioral Health Organizations, and other healthcare centers. OSIS is headquartered in Cincinnati, OH, but has employees located in eleven (11) different states and counting. OSIS currently has a satellite office in Salt Lake City and will be opening up another office in the greater Chicago metropolitan area. Services Some of the services that OSIS provides to its partner clients are the following: Implementation support; Training; Upgrades; Hosting; Custom Development; Security/Risk Analysis; Patient Portal; Meaningful Use Assistance; PCMH Assistance; Reporting UDS I2I; Governance Development; IT Support; Helpdesk; IMO Care Sentry x1223 3

4 Presenter Bio Jay Trinckes is Chief Information Security Officer at OSIS, a 501c(3) non-profit organization that assists Federally Qualified Health Centers (FQHC) with IT and security related services to improve the quality of care delivered to the underserved population. Mr. Trinckes is the author of The Definitive Guide to Complying with the HIPAA/HITECH Privacy and Security Rules, (CRC Press, 2012) and The Executive MBA in Information Security, (CRC Press, 2010). Recently, Mr. Trinckes has presented on the topic of HIPAA and other related Information Security topics across the country through RAC Monitor, NWRPCA-CHAMPS Conference, NACHC-FOM-IT Conference, and locally through HRSA regional group. Mr. Trinckes is scheduled to present on HIPAA at the Practice Management Institute s National Conference held in Chicago, IL this May. Mr. Trinckes holds a Bachelor s Degree in Business Administration/MIS along with several certifications such as the Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified in Risk and Information Systems Control (CRISC), National Security Agency (NSA) INFOSEC Assessment Methodology (IAM), and INFOSEC Evaluation Methodology (IEM). Mr. Trinckes brings a wealth of knowledge in information security through his hands-on experience performing risk assessments, vulnerability/penetration tests, developing information security management programs, and from his experiences as a former law enforcement officer. 4 Co-Presenter Bio Karen Dalton, RNC, MSN, MHA, PCMH CCE, is the Quality Improvement Coordinator at OSIS. Karen is a registered nurse with experience in both inpatient and ambulatory settings, as both administrator and clinician, and currently serving as a consultant for the OSIS HCCN grant. Karen is NCC Certified as women s health nurse practitioner and NCQA PCMH Certified Content Expert.

5 Webinar 3 As healthcare organizations are incentivized to move towards electronic health records, the requirements for protecting this information in a digital form increases. As most federally qualified health centers obtain money from the federal government to implement their electronic health record solutions, meaningful use requires several reporting activities to be maintained. This seminar is designed to provide a details of the Core and Menu Objectives of the Meaningful Use requirements with an emphasis on performing an acceptable Risk Analysis/Risk Assessment. Objectives Attendees will learn: Overview of meaningful use intentions/goals. Discussion of the seventeen (17) Core Objectives for Stage 2. Detail analysis of the Risk Analysis Requirements. How to perform a Risk Assessment to meet meaningful use and Security Requirements. Discuss the Menu Objectives for Stage 2. Tools to assist in reporting of meaningful use objectives. Meaningful Use Requirements To achieve health and efficiency goals, the Centers for Medicare and Medicaid Services (CMS) has implemented an Electronic Health Records (EHR) Incentive Program. This incentive program provides a monetary incentive to comply with the HIPAA/HITECH regulations, but will also create payment adjustments in Medicare reimbursements for eligible entities that do not successfully demonstrate meaningful use by the year Since January 2011, nearly $19 billion has been paid out for meaningful use incentives. There are three (3) main components of Meaningful Use. These include the use of certified EHR technology in a meaningful manner, for electronic health information exchanges, and for clinical quality submissions. Meaningful use will be implemented in three (3) stages. Stage 1 required the providers to meet 15 core objectives. I like to point out Core 15 objective that deals with a security risk analysis required to be conducted or reviewed under 45 CFR (a)(1). Furthermore, security updates were required to be implemented. Stage 2 still requires eligible professionals to ensure adequate privacy and security protection for personal health information (same as Core 15 above). It adds another requirement to address encryption/security of data stored within the EHR software. Stage 2 also addresses using secure electronic messaging to communicate with patients on relevant health information. Here is a good info-graphic that describes the cost benefits to implement an electronic health record over traditional paper records. Some of the big items here are the 45% reduction in documentation time with electronic health records, a net savings of $142 billion over 15 years for outpatient and $371 billion for inpatient services, and for safety purposes to better track adverse drug events. It is all about time, environment, financial, and health benefits that technology can provide. 5

6 Security Management Process Under 45 CFR (a)(1), a health center must implement policies and procedures to prevent, detect, contain, and correct security violations. One of the first policies and procedures to be implemented involves conducting a risk assessment. A health center should develop and disseminate risk assessment policies and procedures so that all workforce members have an idea of this process. These risk assessment policies and procedures should be reviewed and updated as necessary. In addition, workforce members that are affected or responsible for risk assessment activities should be trained accordingly. At a minimum, the risk assessment policy should address the following: the purpose of the policy; the scope of the policy; high level overview of the different roles and responsibilities of the workforce members; the commitment that management has towards the importance of a risk assessment; coordination between different department or units within the health center; how workforce members are trained in risk assessment procedures; and how the health center will come into compliance with the risk assessment policies and procedures. The health center s risk assessment policy should also define the frequency that the risk assessment is reviewed and updated. In conducting the risk assessment, the health center should make sure to identify the types and uses of the information it creates, maintains, processes, stores, or transmits. This information should be classified based on its sensitivity levels. All information 6

7 housing electronic protected health information should be identified. This inventory should be complete with all hardware including removable media, remote access, and mobile devices. Inventory should account for software including any types of reports, spreadsheets, databases, etc. that may contain electronic protected health information. This inventory should also include all business functions of the health center along with verification of control over information systems. Inventory should be kept updated, current, and reviewed on a periodic basis to make sure that all information systems containing electronic protected health information is appropriately accounted for. Configurations for these information systems should also be documented including any connections to other systems within the internal network and external network. 7 Risk Analysis The health center is required to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the health center. An entire section of this book was devoted to discuss the process of conducting a risk analysis. For the sake of simplification, a risk analysis must identify potential security risks. These risks can come from many different areas. The risk analysis must also determine the probability of an event will occur and the magnitude of damage or loss of information that may occur from such an event if it were to occur. A security categorization should be determined for each information system along with the rationale behind such a ranking to be included in the health center s security plan. These security categorization decisions should be reviewed and approved by an official or delegated representative of the health center. Risk Management A health center is required to implement security measures [that are] sufficient to reduce risks [to] vulnerabilities to a reasonable and appropriate level. A covered should have policies and procedures in place for security as part of their risk management process. To conduct proper risk management, the health center should identify the security measures or safeguards that are already in place to secure protected electronic health information. These safeguards should ensure the confidentiality, integrity, and availability of electronic protected health information. These safeguards should also protect against any reasonably anticipated threat or hazard to the unauthorized use or disclosure of electronic protected health information or not permitted under the HIPAA Privacy Rule. Performing a Risk Assessment Security is not a one-time project, but rather an on-going, dynamic process that will create new challenges as covered entities' organizations and technologies change. The security standards in HIPAA were developed for two primary purposes. First, and foremost, the implementation of appropriate security safeguards protects certain electronic health care information that may be at risk.

8 Second, protecting an individual s health information, while permitting the appropriate access and use of that information, ultimately promotes the use of electronic health information in the industry an important goal of HIPAA. The assessment takes into consideration three fundamental security parameters: confidentiality, integrity, and availability. The assessment reviews the accessibility of Electronically Protected Health Information (EPHI) to verify that it is not altered or destroyed in an unauthorized manner and that it is available as needed by authorized individuals. This assessment reviews, but is not limited to, the following implementation standards and provides recommendations on how to comply with these standards, if required, or strengthen the security posture of the client: 8 Administrative Safeguards Security Management Process Assigned Security Responsibility Workforce Security Information Access Management Security Awareness Training Security Incident Procedures Contingency Plan Evaluation Business Associate Contracts and Other Arrangements Organizational Requirements (if applicable) Business Associate Contracts or Other Arrangements Requirements for Group Health Plans Physical Safeguards Facility Access Controls Workstation Use Workstation Security Device and Media Controls Technical Safeguards Access Control Audit Controls Integrity Person or Entity Authentication Transmission Security Policies and Procedures and Documentation Requirements Definitions Audit Controls Technical and non-technical policies, procedures, practices, and/or standards of operation that aid the institution in protecting non-public information and other valued electronic and physical assets from unauthorized access, corruption, deletion, manipulation, or theft. Availability - EPHI can be accessed as needed by an authorized person Confidentiality - EPHI is accessible only by authorized people and processes Electronic Form - means: using electronic media, electronic storage media including memory devices in computers (hard drives) and any removable/transportable digital memory medium, such as magnetic tape or disk, optical disk, or digital memory card; or transmission media used to exchange information already in electronic storage media. Transmission media include, for example, the internet (wide-open), extranet (using internet technology to link a business with information accessible only to collaborating parties), leased lines, dial-up lines, private networks, and the physical movement of removable/transportable electronic storage media. Certain transmissions, including of paper, via facsimile, and of voice, via telephone, are not considered to be transmissions via electronic media, because the information being exchanged did not exist in electronic form before the transmission. Findings Audit Controls that are not being practiced or are not adequate to protect non-public information and other valued assets from unauthorized access or disclosure. Group Health Plan is an employee welfare benefit plan (as defined in section 3(1) of the Employee Retirement Income and Security Act of 1974 (ERISA), 29 U.S.C. 1002(1)), including insured and selfinsured plans, to the extent that the plan provides medical care, including items and services paid for as medical care, to workforce members or their dependents directly or through insurance, reimbursement, or otherwise, that: (1) has 50 or more participants (see endnote 12); or

9 (2) is administered by an entity other than the employer that established and maintains the plan. See 45 C.F.R Health Care - means care, services, or supplies related to the health of an individual. It includes, but is not limited to, the following: (1) Preventive, diagnostic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure with respect to the physical or mental condition, or functional status, of an individual or that affects the structure or function of the body; and (2) Sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription. See 45 C.F.R Health Care Clearing House - is a public or private entity... that performs either of the following functions: (1) Processes or facilitates the processing of health information... in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction. (2) Receives a standard transaction... and processes or facilitates the processing of health information [in the standard transaction] into nonstandard format or nonstandard data content for the receiving entity. See 45 C.F.R Health Information - is defined to broadly include any information, whether oral or recorded, in any form or medium that relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual. Integrity - EPHI is not altered or destroyed in an unauthorized manner Medical Care - means amounts paid for: (A) diagnosis, cure, mitigation, treatment or prevention of disease, or amounts paid for the purpose of affecting any structure or function of the body; (B) amounts paid for transportation primarily for and essential to medical care referred to in (A); and (C) amounts paid for insurance covering medical care referred to in (A) and (B). See 42 U.S.C. 300gg-91(a) (2). Risk - is the function of the likelihood of a threat being triggered and the resulting impact to an organization. Standard Transaction - is a transaction that complies with the standard for that transaction that the Secretary adopted in 45 CFR Part 162. See 45 C.F.R Threat - is defined as the potential for a person or thing to accidentally trigger or intentionally exploit a specific vulnerability. Vulnerability - is defined as a weakness in a system, procedure, or control that if triggered accidentally or intentionally could result in a security breach or violation of policy. 9 OCR Guidance The Office for Civil Rights (OCR) issued Guidance on Risk Analysis Requirements under the HIPAA Security Rule, July 14, This guidance was not a standard or one-size-fits-all blueprint, but rather clarifies some expectations that the Department of Health and Human Services expected as part of the Risk Analysis requirement. Formal Analysis Again, there is no specific criteria or set procedure in performing a Risk Analysis; however, a formal analysis should include at least the following items: Scope of analysis to include all potential risks to the confidentiality, availability, and integrity of protected health information that an organization creates, receives, maintains, or transmits in all of its form such as paper and electronic media. Data collection to identify all relevant data on electronic protected health information. Identify and document potential threats and vulnerabilities. Assess current mitigating controls and security measures implemented. Determine the likelihood of a threat.

10 Determine the potential impact of a threat occurring. Determine the level of risk as a function of the likelihood and impact. Formal documentation. Periodic review and update. Levels of Risks OSIS divides risk into five (5) levels of priority. These priority levels are primarily utilized in the Security portion of this assessment: Critical Priority Exploiting these vulnerabilities will immediately lead to administrative or root level access on a network or provide unauthenticated or unauthorized access to EPHI. There are no policies/procedures in place or implemented to satisfy requirements. High Priority Exploiting these vulnerabilities will immediately lead to compromise of EPHI or a system on a network that contains EPHI. There may be policies/procedures in place; however, they may not fully be implemented. Medium Priority Exploiting these vulnerabilities will immediately lead to compromise of non-public Covered Entity data or has the potential to lead to the compromise of EPHI through further exploit. There are policies/procedures in place that are implemented, but there may be some contradictions or discrepancies in place. Low Priority Exploiting these vulnerabilities could provide information to be used in future attempts to compromise any non-public data or any finding that does not pose any immediate threat. There are policies/procedures in place that are implemented, but could be strengthened slightly. Informational Observations that OSIS assessors made while onsite. Observations usually accompany suggestions for improvement of the Covered Entity s overall security posture. Note: The priority levels, or risk levels, take into consideration the probability of occurrence and the impact that a finding could have on the covered entity if the vulnerability was exploited to the fullest extent. Other mitigating controls are factored into the rating levels. 10 Risk Chart Extreme/Catastrophic Low Medium High High Critical Major Low Medium Medium High High IMPACT Moderate Low Low Medium Medium High Minor Informational Low Low Medium Medium Nominal Informational Informational Low Low Low 0 0 Remote Unlikely Credible Likely LIKELIHOOD - CRITICALITY Almost Certain

11 Steps to an Assessment This assessment takes all of the above into consideration along with following these steps: Determine System Characterization to include hardware, software, system interfaces, data/information, people, and system mission Identify vulnerabilities or weaknesses in procedures, controls, or safeguards. Identify events that could cause a negative impact. Identify the current controls in place. Identify the potential impact of exploiting a threat in terms of loss of confidentiality, integrity, and availability. Recommend mitigating security controls. Determine the residual risk after implementing controls. Document the outcomes of the risk assessment. Reference: NIST Special Publication : An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. 11 Evaluation One of the most important requirements of the HIPAA Security Rule is reflected in 45 CFR (a)(8) that states a health center is required to perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule [the HIPAA Security Rule] and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which an entity s security policies and procedures meet the requirements [of the HIPAA Security Rule]. This should also be part of the Meaningful Use requirement mentioned earlier. The only way to prove that solutions implemented as part of policies and procedures is meeting the requirements of the HIPAA Security Rule standards is to perform testing on these measures. It is recommended that an annual technical and nontechnical evaluation is performed on the health center. This should be performed by an experienced and reputable third party provider to maintain independence. Although there may be a lot of highly skilled resources on staff, the unfortunate part to an evaluation is that they may not have enough separation of duties or be independent enough to provide value to the review. Normalcy or the possibility of being short sighted in conducting these types of evaluations points to the support of getting an outside party to conduct such reviews. Furthermore, internal staff may not have the appropriate experience or training necessary to conduct a thorough technical and nontechnical evaluation. To conduct the appropriate technical evaluation, you need to consider a vulnerability/penetration test. What is the difference between a vulnerability test and a penetration test? I use an analogy of a burglar checking a neighborhood for a house to break into. A vulnerability test is synonymous with the burglar checking doors and windows to make sure they are locked. A penetration test actually starts when the burglar finds an open door or window and gains entry into the house. (It could also start when the burglar decides to break a window and enter the house.) Be aware that not all service

12 providers that perform these types of services are qualified to conduct such services. You should make sure to utilize qualified and experienced assessors to perform these services. The difference between a good and a great evaluation is the quality of the analysis, the ability to interpret the findings into business talk, and the rationale for justifying expenditures to mitigate risks. 12 OSIS Risk Assessment OSIS divides the HISSRA Report into five (5) facets. Each facet contains many Audit Controls that OSIS s assessors have reviewed during the course of the engagement. Research is conducted through a combination of questionnaire, staff interviews, direct observation, internal and external penetration testing. Administrative Safeguards (45 CFR ) The Security Rule defines administrative safeguards as, administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity s workforce in relation to the protection of that information. Physical Safeguards (45 CFR ) The Security Rule defines physical safeguards as physical measures, policies, and procedures to protect a covered entity s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion. The standards are another line of defense (adding to the Security Rule s administrative and technical safeguards) for protecting EPHI. Technical Safeguards (45 CFR ) The Security Rule defines technical safeguards in as the technology and the policy and procedures for its use that protect electronic protected health information and control access to it. Organizational Requirements (45 CFR ) The Business Associate Contracts and Other Arrangements standard found at (b)(1) requires a covered entity to have contracts or other arrangements with business associates that will have access to the covered entity s electronic protected health information (EPHI). The standard, at (a)(1), provides the specific criteria required for written contracts or other arrangements between a covered entity and its business associates. In general, a business associate is a person or entity other than a member of the covered entity s workforce that performs functions or activities on the covered entity s behalf, or provides specified services to the covered entity, that involve the use or disclosure of protected health information. A business associate may also be a covered entity. Policies/Procedures/Documentation Requirements (45 CFR ) The Security Rule, sets forth specific requirements for all policies, procedures and documentation required by the Rule. Specifically, it requires that covered entities: Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart, taking into account those factors specified in (b)(2)(i), (ii), (iii), and (iv) [the Security Standards: General Rules, Flexibility of Approach]. This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirements of this subpart. A covered entity may change its policies and procedures at any time, provided that the changes are documented and are implemented in accordance with this subpart.

13 The Documentation standard requires covered entities to: (i) Maintain the policies and procedures implemented to comply with this subpart in written (which may be electronic) form; and (ii) if an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment. Summary In summary, health centers should assume that an audit will happen; it is the question of when, not if. Health centers should be prepared for an audit. If internal resources are not available, they should seek assistance from professional and experienced third party service providers to assist. Staff members responsible for compliance need to take ownership of the process and health centers, themselves, need to have a security/compliance mind-set. The information security management program begins from the risk assessment. Risk assessments should be on-going. It cannot be stressed enough how valuable training, educating, and making staff members aware of security/compliance related matters along with defining the health center s expectations appropriately for their staff. Consistently evaluate and adjust efforts to make sure they meet objectives. Finally, document everything the health center does when it comes to information security and compliance efforts. Services HIPAA Compliance Program HIPAA/HITECH Information Systems Security Risk Assessment Administrative Safeguards Physical Safeguards Technical Safeguards Internal/External Vulnerability/Penetration Test Organizational Requirements Policies, Procedures, & Documentation Requirements Policies/Procedures Security Awareness Training Mitigation Management Vendor Due Diligence Security Incident Response Handling Business Continuity/Disaster Recovery Planning Subject Matter Expertise 13

14 References/Sources Anderson, Howard. "Breach Tally Surpasses 19 Million." Healthcare Info Security. January 23, (accessed January 24, 2012).. "Computer Theft Affects 4.2 Million." Healthcare Info Security. November 16, (accessed January 24, 2012).. "Health Information Privacy." HHS.gov. February 14, (accessed January 20, 2012).. "Interview: The New HIPAA Enforcer." HealthcareInfoSecurity.com. October 3, (accessed October 10, 2011).. "McAndrew Explains HIPAA Audits." HealthcareInfoSecurity.com. July 15, (accessed October 10, 2011).. "More Breach Class Action Lawsuits Fuiled." Healthcare Info Security. November 23, (accessed January 24, 2012). ANSI. "PHI." The Financial Impact of Breached Protected Health Information. February 14, (accessed March 8, 2012). b, P. "Biggest security threats in 2012 are cyber espionage, privacy violations." CXOtoday. January 2, (accessed january 12, 2012). Bowman, Dan. "91% of small healthcare organizations suffered a data breach in the last year." FierceHealthIT. February 17, (accessed February 19, 2012). Cotta, Amy. Six Weeks to Skinny Jeans: Balst Fast, Firm Your Butt, and Lose Two Jean Sizes. Rodale, Eisenberg, Carol. "Theft of Digital health Data More Often Inside Job, Report Finds." BusinessWeek.com. September 22, (accessed October 10, 2011). Fox News. "Cyber-threats will become top worry, FBI director says." Fox News. March 2, (accessed March 3, 2012). Fox News. "Cyber-threats will become top worry, FBI director says." Fox News. March 2, (accessed March 3, 2012). Goedert, Joseph. "Huge Breach at TRICARE." HealthData management. September 29, tricare-notification-hipaa-privacy html?et=healthdatamanagement:e2013:144085a:&st= &utm_source=editorial&utm_medium= &utm_campaign=hdm_daily_ (accessed October 11, 2011). Help Net Security. "48% of enterprises targeted by social engineering attacks." Help Net Security. September 21, https://www.netsecurity.org/secworld.php?id=11665 (accessed October 10, 2011). HHS Press Office. "HHS imposes a $4.3 million civil money penalty for violations of the HIPAA Privacy Rule." U.S. Department of Health and Human Services. February 22, (accessed February 20, 2012). Kennedy, Tony. "Minnesota sues consulting firm over lost health data." StarTribune. January 19, (accessed January 21, 2012). Kingsley-Hughes, Adrian. "DigiNotar files for bankruptcy following hack attack." Hardware 2.0 Blog. September 20, (accessed October 10, 2011). Menn, Joseph. "They're watching. And they can bring you down." FT Magazine. September 23, bb feabdc0.html#axzz1yxxlftob (accessed October 10, 2011). Millard, Mike. "Medical identity theft on the rise." HealthcareIT News. March 15, (accessed January 11, 2012). OCR. "Are we required to "Certify" our organization's compliance with the standards of the Security Rule?" Health Information Privacy - HHS.gov. (accessed March 4, 2012). Painter, Mark. "Healthcare organizations not ready for new security standards." The HP Security Laboratory Blog. September (accessed October 10, 2011). Ponemon Institute. "Ponemon Study Shows the Cost of a Data Breach Continues to Increase." Ponemon Institute. January 25, (accessed October 10, 2011). Proskauer Rose LLP. "New HIPAA Cop: First AG Settlement for HIPAA Violations." Proskauer. July 14, (accessed January 3, 2012). PRWEB. "NetClarity Announces Top Ten Cybercrime and Cyberwar Predictions for 2012." PRWeb. February 14, (accessed February 18, 2012). Report on Patient Privacy. "'Monetary Enforcement' Is the New Aim of OCR, Following $1.5M BCBST Settlement." AISHEALTH. April (accessed April 15, 2012). Sells, Toby. "BlueCorss BlueShield of Tennessee to pay $1.5M penalty for data loss." The Commercial Appeal. March 14, (accessed March 18, 2012). Siciliano, Robert. "15 Tips To Better Password Security." McAfee. June 29, (accessed March 7, 2012). The Department of Health and Human Services. "Remote Use." HIPAA Security Guidance. December 28, (accessed February 16, 2012). Tripathi, Micky. "First-Hand Experience with a Patient Data Security Breach 12/3/11." HISTalk Practice. December 3, (accessed January 20, 2012). Weigel, Jen. "Cybercrime: A billion-dollar industry." Chicago Tribune. September 20, (accessed October 10, 2011). Wikipedia. Hippocratic Oath. January (accessed January 12, 2012). Wilson, Tim. "IT Security Employment Rising Rapidly, Study Says." Dark Reading. January 10, (accessed January 13, 2012). 14

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics HIPAA SERIES Topics 1. 101 for Covered Entities 2. Standards - Administrative Safeguards 3. Standards - Physical Safeguards 4. Standards - Technical Safeguards 5. Standards - Organizational, Policies &

More information

HIPAA Security. 6 Basics of Risk Analysis and Risk Management. Security Topics

HIPAA Security. 6 Basics of Risk Analysis and Risk Management. Security Topics HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical

More information

Guidance on Risk Analysis Requirements under the HIPAA Security Rule

Guidance on Risk Analysis Requirements under the HIPAA Security Rule Guidance on Risk Analysis Requirements under the HIPAA Security Rule Introduction The Office for Civil Rights (OCR) is responsible for issuing annual guidance on the provisions in the HIPAA Security Rule.

More information

MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessment Series WEBINAR 2

MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessment Series WEBINAR 2 In partnership with MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessment Series WEBINAR 2 HIPAA/HITECH REQUIREMENTS FOR FQHCS AND THE NEW OMNIBUS RULE (PART 2) February 20, 2014

More information

Covered Entity Charts

Covered Entity Charts Covered Entity Charts Guidance on how to determine whether an organization or individual is a covered entity under the Administrative Simplification provisions of HIPAA 2 Background: The Administrative

More information

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, 2014 2:15pm 3:30pm

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, 2014 2:15pm 3:30pm Electronic Health Records: Data Security and Integrity of e-phi Worcester, MA Wednesday, 2:15pm 3:30pm Agenda Introduction Learning Objectives Overview of HIPAA HIPAA: Privacy and Security HIPAA: The Security

More information

The HIPAA Security Rule Primer A Guide For Mental Health Practitioners

The HIPAA Security Rule Primer A Guide For Mental Health Practitioners The HIPAA Security Rule Primer A Guide For Mental Health Practitioners Distributed by NASW Printer-friendly PDF 2006 APAPO 1 Contents Click on any title below to jump to that page. 1 What is HIPAA? 3 2

More information

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 5. 2. Security Standards - Organizational, Security Policies Standards & Procedures, - Administrative and Documentation Safeguards

More information

May 9, 2005 HIPAA SECURITY COMPLIANCE GUIDE FOR PIONEER EDUCATORS HEALTH TRUST. Revised 9-2008

May 9, 2005 HIPAA SECURITY COMPLIANCE GUIDE FOR PIONEER EDUCATORS HEALTH TRUST. Revised 9-2008 HIPAA SECURITY COMPLIANCE GUIDE May 9, 2005 FOR PIONEER EDUCATORS HEALTH TRUST. PIONEER EDUCATORS HEALTH TRUST HIPAA Security Introduction Various sponsoring employers (referred to collectively as the

More information

Meaningful Use and Security Risk Analysis

Meaningful Use and Security Risk Analysis Meaningful Use and Security Risk Analysis Meeting the Measure Security in Transition Executive Summary Is your organization adopting Meaningful Use, either to gain incentive payouts or to avoid penalties?

More information

The HIPAA Security Rule Primer Compliance Date: April 20, 2005

The HIPAA Security Rule Primer Compliance Date: April 20, 2005 AMERICAN PSYCHOLOGICAL ASSOCIATION PRACTICE ORGANIZATION Practice Working for You The HIPAA Security Rule Primer Compliance Date: April 20, 2005 Printer-friendly PDF 1 Contents Click on any title below

More information

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use Click to edit Master title style Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use Andy Petrovich, MHSA, MPH M-CEITA / Altarum Institute April 8, 2015 4/8/2015 1 1 Who is M-CEITA?

More information

Business Associate Management Methodology

Business Associate Management Methodology Methodology auxilioinc.com 844.874.0684 Table of Contents Methodology Overview 3 Use Case 1: Upstream of s I manage business associates 4 System 5 Use Case 2: Eco System of s I manage business associates

More information

SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION

SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION Please Note: 1. THIS IS NOT A ONE-SIZE-FITS-ALL OR A FILL-IN-THE BLANK COMPLIANCE PROGRAM.

More information

What is required of a compliant Risk Assessment?

What is required of a compliant Risk Assessment? What is required of a compliant Risk Assessment? ACR 2 Solutions President Jack Kolk discusses the nine elements that the Office of Civil Rights requires Covered Entities perform when conducting a HIPAA

More information

HIPAA Security Rule Compliance

HIPAA Security Rule Compliance HIPAA Security Rule Compliance Caryn Reiker MAXIS360 HIPAA Security Rule Compliance what is it and why you should be concerned about it Table of Contents About HIPAA... 2 Who Must Comply... 2 The HIPAA

More information

HIPAA and HITECH Compliance for Cloud Applications

HIPAA and HITECH Compliance for Cloud Applications What Is HIPAA? The healthcare industry is rapidly moving towards increasing use of electronic information systems - including public and private cloud services - to provide electronic protected health

More information

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011 Nationwide Review of CMS s HIPAA Oversight Brian C. Johnson, CPA, CISA Wednesday, January 19, 2011 1 WHAT I DO Manage Region IV IT Audit and Advance Audit Technique Staff (AATS) IT Audit consists of 8

More information

C.T. Hellmuth & Associates, Inc.

C.T. Hellmuth & Associates, Inc. Technical Monograph C.T. Hellmuth & Associates, Inc. Technical Monographs usually are limited to only one subject which is treated in considerably more depth than is possible in our Executive Newsletter.

More information

Overview of the HIPAA Security Rule

Overview of the HIPAA Security Rule Office of the Secretary Office for Civil Rights () Overview of the HIPAA Security Rule Office for Civil Rights Region IX Alicia Cornish, EOS Sheila Fischer, Supervisory EOS Topics Upon completion of this

More information

Strategies for. Proactively Auditing. Compliance to Mitigate. Matt Jackson, Director Kevin Dunnahoo, Manager

Strategies for. Proactively Auditing. Compliance to Mitigate. Matt Jackson, Director Kevin Dunnahoo, Manager Strategies for 1 Proactively Auditing HIPAA Security Compliance to Mitigate Risk Matt Jackson, Director Kevin Dunnahoo, Manager AHIA 32 nd Annual Conference August 25-28, 2013 Chicago, Illinois www.ahia.org

More information

HIPAA: Compliance Essentials

HIPAA: Compliance Essentials HIPAA: Compliance Essentials Presented by: Health Security Solutions August 15, 2014 What is HIPAA?? HIPAA is Law that governs a person s ability to qualify immediately for health coverage when they change

More information

HIPAA Security. assistance with implementation of the. security standards. This series aims to

HIPAA Security. assistance with implementation of the. security standards. This series aims to HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical

More information

Preparing for the HIPAA Security Rule

Preparing for the HIPAA Security Rule A White Paper for Health Care Professionals Preparing for the HIPAA Security Rule Introduction The Health Insurance Portability and Accountability Act (HIPAA) comprises three sets of standards transactions

More information

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits HIPAA Breaches, Security Risk Analysis, and Audits Derrick Hill Senior Health IT Advisor Kentucky REC Why Does Privacy and Security Matter? Trust Who Must Comply with HIPAA Rules? Covered Entities (CE)

More information

HIPAA Security Alert

HIPAA Security Alert Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information

More information

Business Associate Agreement Washtenaw Community Health Organization Effective Date: insert date

Business Associate Agreement Washtenaw Community Health Organization Effective Date: insert date Level 2 & 3: Product 1/2 Business Associates Agreement Business Associate Agreement Washtenaw Community Health Organization Effective Date: insert date This Business Associate Agreement is made as of the

More information

HIPAA Compliance Review Analysis and Summary of Results

HIPAA Compliance Review Analysis and Summary of Results HIPAA Compliance Review Analysis and Summary of Results Centers for Medicare & Medicaid Services (CMS) Office of E-Health Standards and Services (OESS) Reviews 2008 Table of Contents Introduction 1 Risk

More information

HIPAA Security. 5 Security Standards: Organizational, Policies. Security Topics. and Procedures and Documentation Requirements

HIPAA Security. 5 Security Standards: Organizational, Policies. Security Topics. and Procedures and Documentation Requirements HIPAA Security S E R I E S Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical

More information

HIPAA PRIVACY AND SECURITY RULES BUSINESS ASSOCIATE AGREEMENT BETWEEN. Stewart C. Miller & Co., Inc. (Business Associate) AND

HIPAA PRIVACY AND SECURITY RULES BUSINESS ASSOCIATE AGREEMENT BETWEEN. Stewart C. Miller & Co., Inc. (Business Associate) AND HIPAA PRIVACY AND SECURITY RULES BUSINESS ASSOCIATE AGREEMENT BETWEEN Stewart C. Miller & Co., Inc. (Business Associate) AND City of West Lafayette Flexible Spending Plan (Covered Entity) TABLE OF CONTENTS

More information

Sunday March 30, 2014, 9am noon HCCA Conference, San Diego

Sunday March 30, 2014, 9am noon HCCA Conference, San Diego Meaningful Use as it Relates to HIPAA Compliance Sunday March 30, 2014, 9am noon HCCA Conference, San Diego CLAconnect.com Objectives and Agenda Understand the statutory and regulatory background and purpose

More information

Security Is Everyone s Concern:

Security Is Everyone s Concern: Security Is Everyone s Concern: What a Practice Needs to Know About ephi Security Mert Gambito Hawaii HIE Compliance and Privacy Officer July 26, 2014 E Komo Mai! This session s presenter is Mert Gambito

More information

The HIPAA Audit Program

The HIPAA Audit Program The HIPAA Audit Program Anna C. Watterson Davis Wright Tremaine LLP The U.S. Department of Health and Human Services (HHS) was given authority, and a mandate, to conduct periodic audits of HIPAA 1 compliance

More information

Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE

Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE [ Hosting for Healthcare: Addressing the Unique Issues of Health IT & Achieving End-to-End Compliance

More information

Why Lawyers? Why Now?

Why Lawyers? Why Now? TODAY S PRESENTERS Why Lawyers? Why Now? New HIPAA regulations go into effect September 23, 2013 Expands HIPAA safeguarding and breach liabilities for business associates (BAs) Lawyer is considered a business

More information

HIPAA Security Rule Changes and Impacts

HIPAA Security Rule Changes and Impacts HIPAA Security Rule Changes and Impacts Susan A. Miller, JD Tony Brooks, CISA, CRISC HIPAA in a HITECH WORLD American Health Lawyers Association March 22, 2013 Baltimore, MD Agenda I. Introduction II.

More information

8/3/2015. Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice

8/3/2015. Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice Monday, August 3, 2015 1 How to ask a question during the webinar If you dialed in to this webinar on your phone

More information

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics HIPAA Security S E R I E S Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical

More information

HIPAA Business Associate Addendum

HIPAA Business Associate Addendum HIPAA Business Associate Addendum THIS HIPAA BUSINESS ASSOCIATE ADDENDUM (this Addendum ) is by and between ( Covered Entity ) and TALKSOFT CORPORATION ( Business Associate ) (hereinafter, Covered Entity

More information

Risk Management Guide for Information Technology Systems. NIST SP800-30 Overview

Risk Management Guide for Information Technology Systems. NIST SP800-30 Overview Risk Management Guide for Information Technology Systems NIST SP800-30 Overview 1 Risk Management Process that allows IT managers to balance operational and economic costs of protective measures and achieve

More information

2011 2012 Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec.

2011 2012 Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec. The OCR Auditors are coming - Are you next? What to Expect and How to Prepare On June 10, 2011, the U.S. Department of Health and Human Services Office for Civil Rights ( OCR ) awarded KPMG a $9.2 million

More information

HITRUST CSF Assurance Program

HITRUST CSF Assurance Program HITRUST CSF Assurance Program Simplifying the Meaningful Use Privacy and Security Risk Assessment September 2010 Table of Contents Regulatory Background CSF Assurance Program Simplifying the Risk Assessment

More information

HIPAA Security Series

HIPAA Security Series 7 Security Standards: Implementation for the Small Provider What is the Security Series? The security series of papers provides guidance from the Centers for Medicare & Medicaid Services (CMS) on the rule

More information

Ensuring HIPAA Compliance with AcclaimVault Online Backup and Archiving Services

Ensuring HIPAA Compliance with AcclaimVault Online Backup and Archiving Services Ensuring HIPAA Compliance with AcclaimVault Online Backup and Archiving Services 1 Contents 3 Introduction 5 The HIPAA Security Rule 7 HIPAA Compliance & AcclaimVault Backup 8 AcclaimVault Security and

More information

HIPAA Secure Now! How MSPs Can Profit From Selling HIPAA security services

HIPAA Secure Now! How MSPs Can Profit From Selling HIPAA security services HIPAA Secure Now! How MSPs Can Profit From Selling HIPAA security services How MSPs can profit from selling HIPAA security services Managed Service Providers (MSP) can use the Health Insurance Portability

More information

HIPAA Security Risk Analysis for Meaningful Use

HIPAA Security Risk Analysis for Meaningful Use HIPAA Security Risk Analysis for Meaningful Use NOTE: Make sure your computer speakers are turned ON. Audio will be streaming through your speakers. If you do not have computer speakers, call the ACCMA

More information

RESOLUTION AGREEMENT. I. Recitals

RESOLUTION AGREEMENT. I. Recitals RESOLUTION AGREEMENT I. Recitals 1. Parties: The Parties to this Resolution Agreement (Agreement) are: (1) the United States Department of Health and Human Services (HHS), Office for Civil Rights (OCR);

More information

The HIPAA Security Rule: Cloudy Skies Ahead?

The HIPAA Security Rule: Cloudy Skies Ahead? The HIPAA Security Rule: Cloudy Skies Ahead? Presented and Prepared by John Kivus and Emily Moseley Wood Jackson PLLC HIPAA and the Cloud In the past several years, the cloud has become an increasingly

More information

The Basics of HIPAA Privacy and Security and HITECH

The Basics of HIPAA Privacy and Security and HITECH The Basics of HIPAA Privacy and Security and HITECH Protecting Patient Privacy Disclaimer The content of this webinar is to introduce the principles associated with HIPAA and HITECH regulations and is

More information

Ensuring HIPAA Compliance with Pros 4 Technology Online Backup and Archiving Services

Ensuring HIPAA Compliance with Pros 4 Technology Online Backup and Archiving Services Ensuring HIPAA Compliance with Pros 4 Technology Online Backup and Archiving Services Introduction Patient privacy has become a major topic of concern over the past several years. With the majority of

More information

What do you need to know?

What do you need to know? What do you need to know? DISCLAIMER Please note that the information provided is to inform our clients and friends of recent HIPAA and HITECH act developments. It is not intended, nor should it be used,

More information

The Case For HIPAA Risk Assessment. Leader s Guide

The Case For HIPAA Risk Assessment. Leader s Guide 4547 The Case For HIPAA Risk Assessment Leader s Guide IMPORTANT INFORMATION FOR EDUCATION COORDINATORS & PROGRAM FACILITATORS PLEASE NOTE: In order for this program to meet Florida course requirements,

More information

Security Compliance, Vendor Questions, a Word on Encryption

Security Compliance, Vendor Questions, a Word on Encryption Security Compliance, Vendor Questions, a Word on Encryption Alexis Parsons, RHIT, CPC, MA Director, Health Information Services Security/Privacy Officer Shasta Community Health Center aparsons@shastahealth.org

More information

M E M O R A N D U M. Definitions

M E M O R A N D U M. Definitions M E M O R A N D U M DATE: November 10, 2011 TO: FROM: RE: Krevolin & Horst, LLC HIPAA Obligations of Business Associates In connection with the launch of your hosted application service focused on practice

More information

What Virginia s Free Clinics Need to Know About HIPAA and HITECH

What Virginia s Free Clinics Need to Know About HIPAA and HITECH What Virginia s Free Clinics Need to Know About HIPAA and HITECH This document is one in a series of tools and white papers produced by the Virginia Health Care Foundation to help Virginia s free clinics

More information

Lessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd

Lessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd Lessons Learned from Recent HIPAA and Big Data Breaches Briar Andresen Katie Ilten Ann Ladd Recent health care breaches Breach reports to OCR as of February 2015 1,144 breaches involving 500 or more individual

More information

HIPAA/HITECH Privacy and Security for Long Term Care. Association of Jewish Aging Services 1

HIPAA/HITECH Privacy and Security for Long Term Care. Association of Jewish Aging Services 1 HIPAA/HITECH Privacy and Security for Long Term Care 1 John DiMaggio Chief Executive Officer, Blue Orange Compliance Cliff Mull Partner, Benesch, Healthcare Practice Group About the Presenters John DiMaggio,

More information

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS Thank you for taking the time to fill out the privacy & security checklist. Once completed, this checklist will help us get a better

More information

Ensuring HIPAA Compliance with Computer BYTES Online Backup and Archiving Services

Ensuring HIPAA Compliance with Computer BYTES Online Backup and Archiving Services Ensuring HIPAA Compliance with Computer BYTES Online Backup and Archiving Services Page 2 of 8 Introduction Patient privacy has become a major topic of concern over the past several years. With the majority

More information

CHIS, Inc. Privacy General Guidelines

CHIS, Inc. Privacy General Guidelines CHIS, Inc. and HIPAA CHIS, Inc. provides services to healthcare facilities and uses certain protected health information (PHI) in connection with performing these services. Therefore, CHIS, Inc. is classified

More information

A s a covered entity or business associate, you have

A s a covered entity or business associate, you have Health IT Law & Industry Report VOL. 7, NO. 19 MAY 11, 2015 Reproduced with permission from Health IT Law & Industry Report, 07 HITR, 5/11/15. Copyright 2015 by The Bureau of National Affairs, Inc. (800-372-1033)

More information

Bridging the HIPAA/HITECH Compliance Gap

Bridging the HIPAA/HITECH Compliance Gap CyberSheath Healthcare Compliance Paper www.cybersheath.com -65 Bridging the HIPAA/HITECH Compliance Gap Security insights that help covered entities and business associates achieve compliance According

More information

The HIPAA Omnibus Final Rule

The HIPAA Omnibus Final Rule WHITE PAPER The HIPAA Omnibus Final Rule Four risk exposure events that can uncover compliance issues leading to investigations, potential fines, and damage to your organization s reputation. By Virginia

More information

HIPAA Compliance Guide

HIPAA Compliance Guide HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care

More information

HIPAA Compliance Guide

HIPAA Compliance Guide HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care

More information

Developing HIPAA Security Compliance. Trish Lugtu CPHIMS, CHP, CHSS Health IT Consultant

Developing HIPAA Security Compliance. Trish Lugtu CPHIMS, CHP, CHSS Health IT Consultant Developing HIPAA Security Compliance Trish Lugtu CPHIMS, CHP, CHSS Health IT Consultant Learning Objectives Identify elements of a HIPAA Security compliance program Learn the HIPAA Security Rule basics

More information

HIPAA COMPLIANCE AND DATA PROTECTION. sales@eaglenetworks.it +39 030 201.08.25 Page 1

HIPAA COMPLIANCE AND DATA PROTECTION. sales@eaglenetworks.it +39 030 201.08.25 Page 1 HIPAA COMPLIANCE AND DATA PROTECTION sales@eaglenetworks.it +39 030 201.08.25 Page 1 CONTENTS Introduction..... 3 The HIPAA Security Rule... 4 The HIPAA Omnibus Rule... 6 HIPAA Compliance and EagleHeaps

More information

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Table of Contents Introduction... 1 1. Administrative Safeguards...

More information

Cybersecurity for Meaningful Use. 2013 FRHA Annual Summit "Setting the Health Care Table: Politics, Economics, Health" November 20-22, 2013

Cybersecurity for Meaningful Use. 2013 FRHA Annual Summit Setting the Health Care Table: Politics, Economics, Health November 20-22, 2013 Cybersecurity for Meaningful Use 2013 FRHA Annual Summit "Setting the Health Care Table: Politics, Economics, Health" November 20-22, 2013 Healthcare Sector Vulnerable to Hackers By Robert O Harrow Jr.,

More information

Compliance, Security and Risk Management Relationship Advice. Andrew Hicks, Director Coalfire

Compliance, Security and Risk Management Relationship Advice. Andrew Hicks, Director Coalfire Compliance, Security and Risk Management Relationship Advice Andrew Hicks, Director Coalfire Housekeeping You may submit questions throughout the webinar using the question area in the control panel on

More information

SECURITY RISK ASSESSMENT SUMMARY

SECURITY RISK ASSESSMENT SUMMARY Providers Business Name: Providers Business Address: City, State, Zip Acronyms NIST FIPS PHI EPHI BA CE EHR HHS IS National Institute of Standards and Technology Federal Information Process Standards Protected

More information

NEW PERSPECTIVES. Professional Fee Coding Audit: The Basics. Learn how to do these invaluable audits page 16

NEW PERSPECTIVES. Professional Fee Coding Audit: The Basics. Learn how to do these invaluable audits page 16 NEW PERSPECTIVES on Healthcare Risk Management, Control and Governance www.ahia.org Journal of the Association of Heathcare Internal Auditors Vol. 32, No. 3, Fall, 2013 Professional Fee Coding Audit: The

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

Neither You Nor Your Business Associates Can Afford to be Lax About Complying with HIPAA Requirements

Neither You Nor Your Business Associates Can Afford to be Lax About Complying with HIPAA Requirements Neither You Nor Your Business Associates Can Afford to be Lax About Complying with HIPAA Requirements Sara Kashing, JD, Staff Attorney July/August 2012 The Therapist If you are considered a Covered Entity

More information

HIPAA Workshop Ensuring PHI: Creating a Comprehensive Office Policy

HIPAA Workshop Ensuring PHI: Creating a Comprehensive Office Policy HIPAA Workshop Ensuring PHI: Creating a Comprehensive Office Policy 2014 OP User Conference Presented by: Sue Kressly, MD, FAAP and Leann DiDomenico, MBA Goal: Develop your Strategy to Ensure the Safety

More information

Information Protection Framework: Data Security Compliance and Today s Healthcare Industry

Information Protection Framework: Data Security Compliance and Today s Healthcare Industry Information Protection Framework: Data Security Compliance and Today s Healthcare Industry Executive Summary Today s Healthcare industry is facing complex privacy and data security requirements. The movement

More information

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES CONTENTS Introduction 3 Brief Overview of HIPPA Final Omnibus Rule 3 Changes to the Definition of Business Associate

More information

HIPAA Compliance Audits: Your Newest Risk: Are You Prepared?

HIPAA Compliance Audits: Your Newest Risk: Are You Prepared? HIPAA Compliance Audits: Your Newest Risk: Are You Prepared? Presented by: Melissa (Lisa) Thompson, JD, MPH and Elizabeth Lamkin, MHA Slide 1 Speakers Melissa (Lisa) Thompson, JD, MPH Partner Adelman,

More information

The Medicare and Medicaid EHR incentive

The Medicare and Medicaid EHR incentive Feature The Meaningful Use Program: Auditing Challenges and Opportunities Your pathway to providing value By Phyllis Patrick, MBA, FACHE, CHC Meaningful Use is an area ripe for providing value through

More information

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule HIPAA More Important Than You Realize J. Ira Bedenbaugh Consulting Shareholder February 20, 2015 This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record

More information

HIPAA RISKS & STRATEGIES. Health Insurance Portability and Accountability Act of 1996

HIPAA RISKS & STRATEGIES. Health Insurance Portability and Accountability Act of 1996 HIPAA RISKS & STRATEGIES Health Insurance Portability and Accountability Act of 1996 REGULATORY BACKGROUND Health Information Portability and Accountability Act (HIPAA) was enacted on August 21, 1996 Title

More information

Can Your Diocese Afford to Fail a HIPAA Audit?

Can Your Diocese Afford to Fail a HIPAA Audit? Can Your Diocese Afford to Fail a HIPAA Audit? PETULA WORKMAN & PHIL BUSHNELL MAY 2016 2016 ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS Agenda Overview Privacy Security Breach Notification Miscellaneous

More information

HIPAA Compliance: Are you prepared for the new regulatory changes?

HIPAA Compliance: Are you prepared for the new regulatory changes? HIPAA Compliance: Are you prepared for the new regulatory changes? Baker Tilly CARIS Innovation, Inc. April 30, 2013 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed

More information

HIPAA COMPLIANCE PLAN FOR 2013

HIPAA COMPLIANCE PLAN FOR 2013 HIPAA COMPLIANCE PLAN FOR 2013 Welcome! Presentor is Rebecca Morehead, Practice Manager Strategist www.practicemanagersolutions.com Meaningful Use? As a way to encourage hospitals and providers to adopt

More information

Alert. Client PROSKAUER ROSE LLP. HIPAA Compliance Update: Employers, As Group Health Plan Sponsors, Will Be Affected By HIPAA Privacy Requirements

Alert. Client PROSKAUER ROSE LLP. HIPAA Compliance Update: Employers, As Group Health Plan Sponsors, Will Be Affected By HIPAA Privacy Requirements PROSKAUER ROSE LLP Client Alert HIPAA Compliance Update: Employers, As Group Health Plan Sponsors, Will Be Affected By HIPAA Privacy Requirements The U.S. Department of Health and Human Services published

More information

How to Leverage HIPAA for Meaningful Use

How to Leverage HIPAA for Meaningful Use How to Leverage HIPAA for Meaningful Use The overlap between HIPAA and Meaningful Use requirements 2015 SecurityMetrics How to Leverage HIPAA for Meaningful Use 2 About this ebook Who should read this

More information

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security. Topics

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security. Topics HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 5. 2. Security Standards - Organizational, Security Policies Standards & Proc - A edures, dministrativ and e Documentation Safeguards

More information

Participation Agreement Medicaid Provider Program

Participation Agreement Medicaid Provider Program Participation Agreement Medicaid Provider Program PLEASE FAX THE FOLLOWING PAGES #4, #7, #8, #14, #15 211 Warren Street Newark, NJ 07103 PHONE: 973-642-4777 FAX: 973-645-0457 E-mail: info@njhitec.org www.njhitec.org

More information

HEALTH INSURANCE MARKETPLACES GENERALLY PROTECTED PERSONALLY IDENTIFIABLE INFORMATION BUT COULD IMPROVE CERTAIN INFORMATION SECURITY CONTROLS

HEALTH INSURANCE MARKETPLACES GENERALLY PROTECTED PERSONALLY IDENTIFIABLE INFORMATION BUT COULD IMPROVE CERTAIN INFORMATION SECURITY CONTROLS Department of Health and Human Services OFFICE OF INSPECTOR GENERAL HEALTH INSURANCE MARKETPLACES GENERALLY PROTECTED PERSONALLY IDENTIFIABLE INFORMATION BUT COULD IMPROVE CERTAIN INFORMATION SECURITY

More information

2/27/2014. Meaningful Use as it Relates to HIPAA Compliance. Objectives and Agenda. Understand the statutory and regulatory background and purpose

2/27/2014. Meaningful Use as it Relates to HIPAA Compliance. Objectives and Agenda. Understand the statutory and regulatory background and purpose Meaningful Use as it Relates to HIPAA Compliance Sunday March 30, 2014, 9am noon HCCA Conference, San Diego CLAconnect.com Objectives and Agenda Understand the statutory and regulatory background and purpose

More information

HIPAA Security Compliance Reviews

HIPAA Security Compliance Reviews HIPAA Security Compliance Reviews Elizabeth S. Holland, MPA Office of E-Health Standards and Services Centers for Medicare & Medicaid Services U.S. Department of Health and Human Services 1 2 What is HIPAA?

More information

July 6, 2015. Mr. Michael L. Joseph Chairman of the Board Roswell Park Cancer Institute Elm & Carlton Streets Buffalo, NY 14263

July 6, 2015. Mr. Michael L. Joseph Chairman of the Board Roswell Park Cancer Institute Elm & Carlton Streets Buffalo, NY 14263 July 6, 2015 Mr. Michael L. Joseph Chairman of the Board Roswell Park Cancer Institute Elm & Carlton Streets Buffalo, NY 14263 Re: Security Over Electronic Protected Health Information Report 2014-S-67

More information

HOW TO REALLY IMPLEMENT HIPAA. Presented by: Melissa Skaggs Provider Resources Group

HOW TO REALLY IMPLEMENT HIPAA. Presented by: Melissa Skaggs Provider Resources Group HOW TO REALLY IMPLEMENT HIPAA Presented by: Melissa Skaggs Provider Resources Group WHAT IS HIPAA The Health Insurance Portability and Accountability Act of 1996 (HIPAA; Pub.L. 104 191, 110 Stat. 1936,

More information

New privacy and security requirements increase potential legal liability and jeopardize brand reputation.

New privacy and security requirements increase potential legal liability and jeopardize brand reputation. New privacy and security requirements increase potential legal liability and jeopardize brand reputation. Protect personal health information in motion, in use and at rest with HP access, authentication,

More information

State HIPAA Security Policy State of Connecticut

State HIPAA Security Policy State of Connecticut Health Insurance Portability and Accountability Act State HIPAA Security Policy State of Connecticut Release 2.0 November 30 th, 2004 Table of Contents Executive Summary... 1 Policy Definitions... 3 1.

More information

CASRO Digital Research Conference Data Security: Don t Risk Being the Weak Link

CASRO Digital Research Conference Data Security: Don t Risk Being the Weak Link CASRO Digital Research Conference Data Security: Don t Risk Being the Weak Link Peter Milla CASRO Technical Consultant/CIRQ Technical Advisor peter@petermilla.com Background CASRO and Standards CASRO takes

More information

HIPAA Security Rule Toolkit

HIPAA Security Rule Toolkit California Office of Health Information Integrity (CalOHII) HIPAA Security Rule Toolkit User Guide Version 1.0 2/1/2012 Table of Contents 1.0 - HIPAA Security Rule Background... 0 2.0 Purpose... 1 3.0

More information

NJ-HITEC PARTICIPATION AGREEMENT FOR MEDICAID SPECIALISTS

NJ-HITEC PARTICIPATION AGREEMENT FOR MEDICAID SPECIALISTS NJ-HITEC PARTICIPATION AGREEMENT FOR MEDICAID SPECIALISTS The undersigned practice (the Practice ) and participating providers (each, a Provider, and collectively, Providers ) presently intend to become

More information

HIPAA Compliance and the Protection of Patient Health Information

HIPAA Compliance and the Protection of Patient Health Information HIPAA Compliance and the Protection of Patient Health Information WHITE PAPER By Swift Systems Inc. April 2015 Swift Systems Inc. 7340 Executive Way, Ste M Frederick MD 21704 1 Contents HIPAA Compliance

More information