Running Head: HIPAA SECURITY RULE FOR BUSINESS ASSOCIATES IN THE CLOUD

Size: px
Start display at page:

Download "Running Head: HIPAA SECURITY RULE FOR BUSINESS ASSOCIATES IN THE CLOUD"

Transcription

1 Running Head: HIPAA SECURITY RULE FOR BUSINESS ASSOCIATES IN THE CLOUD HIPAA Security Rule for Business Associates in the Cloud: Compliance Assessment and Recommendations for Datum Management Systems Joanne Pallas May 14, 2014 National University HTM 692: Health Informatics Capstone Dr. Barbara F. Piper 1

2 Introduction The primary purpose of this paper is to examine how a big data company such as Datum Management Systems (DMS) with cloud computing can be compliant with HIPAA regulations administratively, physically, and technologically. A secondary purpose is to identify where DMS might have compliance gaps in these three area safeguards. Cloud computing is a form of virtualization that shares information technology (IT) infrastructures such as data storage and software applications over the internet (Laudon & Laudon, 2012). Cloud computing utilizes three types of Service models; Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS) (Laudon & Laudon, 2012). IaaS includes networks and databases that give organizations the extra resources they need to operate efficiently. PaaS gives organizations the platform they need to operate applications (Laudon & Laudon, 2012). SaaS allows users access to software applications usually through web-based browsers (Laudon & Laudon, 2012). There are four different types of clouds, Private, Public, Community and Hybrid clouds (Laudon & Laudon, 2012). Private clouds are singular organizations that control the resources. Public clouds are attractive because of lower cost, accessibility to all customers, and can be operated by cloud providers. Community clouds are basically smaller versions of public clouds that support specific users or groups. Hybrid clouds integrate important elements from two or more cloud types allowing for a balance of security and service (Laudon & Laudon, 2012). Cloud computing has become part of many industrywide day-to-day operations including governmental and healthcare operations. Cloud computing is currently very much in demand because it allows for rapid deployment of online services and the application and cost saving benefits of not having to purchase and maintain expensive physical infrastructures to house data 2

3 (Samson, 2010). Cloud computing offers the ability to change computational capacity as demand changes. The omnibus final rule published on January 25, 2013 by the United States Government implemented a number of provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, which was enacted initially as part of the American Recovery and Reinvestment Act (ARRA) of 2009 (Federal Register, 2013). This final rule expands the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to hold subcontractors directly liable for compliance of its privacy and security rules. Subcontractors are under the umbrella of business associates. The Department of Health and Human Services (HHS) defines a business associate as a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity (Business Associates, 2003, p. 1). Covered entities are health care providers, health plans, and health clearinghouses. In essence, companies providing services to the healthcare industry are now expected to be HIPAA compliant. Datum Management Systems (DMS) is a big data company that offers SaaS cloud computing services. DMS primarily provides services as a subcontractor meaning services are not typically provided directly to the healthcare organizations but rather are provided through business agreements with other entities. The HIPAA security rule requires administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information (ephi). Complying with the HIPAA security rule requirements in a cloud environment is daunting and challenging. Subcontractors previously were not subject to this rule, but now subcontractors are subject to the Office of Civil Rights (OCR) audits and penalties in the same 3

4 manner as are business associates (Complete & easy HIPAA compliance, 2013). The impact of this change to DMS is the reason for undertaking this review and paper. Background Security of ephi that is stored and processed in the cloud is a major concern because data are permanently and/or temporarily stored beyond patient control. Recent data breaches and security incidents cause patients and others to experience a lack of confidence in the security of their data (HIPAA Hurdles, 2013). Thus, the omnibus rule addresses these security risks. The omnibus rule and its recent inclusion of subcontractors such as DMS have a ripple effect for downstream subcontractors who are now responsible for HIPAA security compliance as well. It is important to distinguish between the cloud service provider and the cloud platform provider. The healthcare organization contracts with a cloud service provider to provide application services such as prescriber eligibility. The cloud service provider in this case DMS in turn contracts with a cloud platform provider Amazon, who may or may not be visible to the healthcare organization contractually. With the new Omnibus rule, both cloud providers DMS and Amazon are liable for complying with the HIPAA security rule requirements, which only applies to ephi. DMS s entire business is based on the electronic transfer of data, so the need to comply with the security rule is essential. Under the OCR audit program, covered entities and business associates are selected to be audited at random. The audits are meant to assess mechanisms for compliance, identify bestpractices, and uncover risks and vulnerabilities. The audit results provide guidance for how to best meet observed compliance challenges via the OCR web site and through other outreach portals (HIPAA Hurdles, 2013). HIPAA Security Rule 4

5 The omnibus rule reinforces the need for a shared-responsibility security model among health organizations such as DMS and cloud providers (service providers and platform providers) to achieve the flexibility and control to allow healthcare institutions to deploy HIPAA-compliant applications. There are several layers of physical, administrative, and technical controls that are required to ensure cloud resiliency and achieve compliance with HIPAA (Hamami, 2013). Data privacy is a key component for HIPAA. Health organizations need to maintain security, control where the data resides, take precautions to preserve privacy, and utilize mechanisms to audit access (HIPAA Hurdle, 2013). The cloud platform is designed to be abstracted, so determining the physical storage and network access points where data reside are challenging. Encrypting data from end-to-end including storage would be ideal, but few health care application vendors can support this approach. Ascertaining complete control of the data in cloud computing seems to be in conflict with the inherit design of the cloud platform, so certain precautions need to be employed. There are several certifications offered but no industry-wide certification exists that would ultimately provide legal protection (Witt, 2011). To protect an organization s interest, a strong contract with the cloud provider is needed that includes detailed reporting of all access to the servers and storage by anyone within their organization. HIPAA s privacy and security regulations are not fully known or understood by most healthcare organization staff or DMS staff (Witt, 2011). This lack of knowledge can severely impact an organization s ability to achieve and enforce compliance. The opportunity for staff members to mishandle ephi data is high. Factor in the cloud provider staff member s possibility to mishandle ephi data and insecure connections, and the risks are exponentially increased. Implementation Specification 5

6 There are a number of standards under each set of safeguards in the security rule that comprise a number of implementation specifications. An implementation specification can be either required or addressable. Required means the requirement of the implementation specification must met in order to be compliant. Addressable means assessment of the implementation specification must be done to determine whether the implementation specification is reasonable and appropriate for the environment. Overall, compliance is an ongoing iterative effort that covered entities and business associates need to plan for and review on a regular basis or face the consequences of not being HIPAA compliant (HIPAA Hurdle, 2013). The following sections of the paper address the three types of safeguards: Physical, Administrative, and Technical. Physical Safeguards Physical safeguards are defined as physical measures, procedures, and policies to protect electronic information systems and equipment from environmental and natural hazards, and unauthorized intrusion (Ouellette, 2012b). Safeguarding facility access controls, workstations, and device and media controls are necessary standards. These safeguards are necessary whether hosted on the premises or hosted at another location. Cloud provider data centers must be highly secure and resilient to enforce physical security. DMS limits physical access to electronic information systems housing ephi data. To provide such security, DMS physically isolates network access points. DMS corporate headquarters has a single access point room that provides connectivity to machines hosting ephi data. Only select, named, HIPAA trained employees are allowed access to the secured room. Access to the room is monitored via swipe card, and with central auditing and logging. The 6

7 servers in the secured room are only used to transport data into the cloud infrastructure. These are the only machines capable of transmitting data to and from the cloud infrastructure. Administrative Safeguards Administrative safeguards represent more than half of the HIPAA Security requirements. Having the appropriate safeguards in place helps prevent data breaches. An administrative safeguard is defined as administrative actions, policies and procedures, and development, implementation, and maintenance of security measures to manage the conduct of healthcare organizations and entities to protect ephi (Love, 2011). Evaluation of preexisting security controls, analyzing risks, and documenting solutions and having implementation plans are all part of administrative safeguards organizations and entities use to protect ephi (Ouellette, 2012a). Compliance requires assessment of current security, risks, and gaps, which are the inputs for an implementation plan. It is important to read and review the security rule before developing an implementation plan. HHS provides implementation specifications and indicates which specification is addressable. Security measures and solutions that are reasonable and appropriate for the organization must be implemented (Bender, 2012). The results of the organization assessment must be documented and be reassessed periodically to ensure that security measures are up-to-date with environmental or operational changes that might affect the security of ephi (Bender, 2012). Security management process implements policies and procedures to detect, prevent, contain, and correct security violations. There are four implementation specifications in the security management process. Risk analysis which is required consists of conducting an assessment of the potential risks and vulnerabilities an organization may have with ephi. Risk 7

8 management which is required, means implementing security measures to adequately address vulnerabilities and reduce risk (Ouellette, 2012a). Sanction policy which is required applies to appropriate sanctions against staff who do not comply with the security procedures or policies of the organization (Ouellette, 2012a). Information system activity review which is required implements procedures to periodically review information system activities. System logs and access reports are examples, as are security incident reports. DMS has begun the security management process and determined a third party consultant was needed to conduct the risk analysis. While standard security measures are in place without the results of the risk analysis, DMS cannot definitively state that the risk management specification has been met. The code of conduct does specify adverse action for staff failing to comply with the organization s policies and procedures. DMS has in place a multitude of system logs and activities and reviews by diversified teams as well as security incident reports. Assigned security responsibility which is required identifies the person who is responsible for the security rule for the organization. This includes the development and implementation of related policies and procedures. DMS has designated the Director of Human Resources Management as the Compliance Officer. Workforce security is addressable but not required. Workforce security implements procedures and policies that ensure that staff has appropriate access to ephi (Ouellette, 2012a). Authorization and/or supervision of procedures relates to the authorization of staff with access to ephi data and their specific locations. Workforce clearance procedures exist to determine which access level is appropriate. Termination procedures for ensuring staff who are terminated do not have access to ephi are in place. In summary, DMS has policies and procedures in place to verify that authorization levels and supervision requirements for access to protected health 8

9 information exist. While there are policies and procedures in place for workforce security, the actual enforcement of the policies and procedures is not done judiciously. While access to data is authorized on a need to know basis, portable devices, and laptops are often lost and not reclaimed upon staff termination. Information access management is required to address and implement procedures and policies for ephi authorization access. Isolating health care clearinghouse functions from the larger organization to protect ephi from unauthorized access is required (Ouellette, 2012a). Access authorization is addressable and relates to procedures and policies for granting access to ephi through access to a workstation program process transaction, or other mechanism (Federal Register, 2013). Access establishment and modification is addressable and is based on the entity access authorization policies. DMS grants staff access privileges through a documented process that establishes the identity of the user and the need to have access to the ephi. The information technology department has the capability to enforce the access controls defined by the information access management policies and procedures. Restricting access to ephi diminishes the risk of a data breach. Security awareness and training is required and is addressable to implement programs for all staff members (Ouellette, 2012a). Security reminders to ensure periodic security updates are performed and capable of being addressed. Implementing procedures for detecting, guarding against, and reporting malicious software are addressable. Login monitoring is addressable as are reports and monitoring of login attempts and discrepancies. Password management is addressable as are the implementation procedures for creating, modifying, and safeguarding passwords. 9

10 Covered entities and business associates have discretion to determine how to implement the requirement and latitude to incorporate training and awareness into other existing activities (Ouellette, 2012a). The training and frequency should be an ongoing process and take into account environmental and operational changes. DMS has implemented security awareness training and HIPAA training for key personnel with access to ephi. Part of the compliance committee responsibilities involves reviewing and updating the DMS policies and procedures which include training and awareness. Staff members who are not in the corporate office do not undergo this training. A security incident procedure which is required ensures the entity implements policies and procedures for security incidents (Ouellette, 2012a). There is one required implementation specification for this standard, which is the response and reporting specification. An entity must identify and respond to known or suspected security incidents. This includes mitigation activities to the extent reasonable and the documentation of the incidents and the outcomes. DMS does not have a centralized security incident procedure and reporting system. There are several policies and procedures that address different types of incidents but no one centralized place to view the incidents and outcomes. The contingency plan has required and addressable implementation specifications. A contingency plan establishes procedures and policies needed for responding to unexpected events that may affect systems housing ephi (Ouellette, 2012a). There are five implementation specifications for the contingency plan. A data backup plan is required and ensures there are procedures to create and maintain exact copies of data that are retrievable in case of a system failure (Witt, 2011). 10

11 A disaster recovery plan is required to establish procedures for the restoration of any lost data. An emergency mode operation plan is required to establish procedures to ensure the continuity of critical business processes for the security of ephi during an unexpected event (Ouellette, 2012a). Testing and revision procedures are addressable as are implementation procedures for intermittent testing and revisions as needed as part of the contingency plans. Applications and data criticality analysis is addressable and needs to assess the criticality of the specific data and applications to support other contingency plan components. Disaster recovery and business continuity plans become even more important in a cloudcomputing environment. The cloud provider must have redundancies in place for data backups and for the everyday use of the services. If the cloud service is unavailable, then organizations have unacceptable downtimes beyond the control of their IT departments (Hamami, 2013). DMS has a disaster recovery plan and data backup plan, but the testing and revision procedures are not established. The emergency mode operation plan and its applications and data criticality analysis have not yet been done. An evaluation of both technical and nontechnical standards for implementation is required (Ouellette, 2012a). The evaluation is done periodically in response to environmental or operational changes affecting the security of ephi. DMS has recently undergone several client audits and implemented a mandatory quarterly evaluation of standards to ensure compliance with the security policies and procedures. Business associate contracts and other arrangements are required and permit a business associate to create, maintain, receive, and transmit ephi on the entity s behalf. Satisfactory assurance that the business associate will safeguard the data appropriately is required (Bender, 11

12 2012). Written contracts are required to document those satisfactory assurances. DMS does not have satisfactory assurances from all business associates, which now include subcontractors. Technical Safeguards Technical safeguards are defined as access control, audit controls, integrity, user authentication, and transmission security (Ouellette, 2012c). Access control is restricting the access to ephi to those granted access rights. Having procedures in place to assign unique user identifiers to identify and track user activities is an example of technical safeguards (Federal Register, 2013). Setting workstations to automatically log off after a specific time interval and have encrypting and decrypting systems are included in the technical safeguards. Audit controls are needed to examine all ephi activities and the integrity of the controls (Ouellette, 2012c). Protecting the data includes preventing ephi from being altered or destroyed improperly. Verifying or authenticating the person accessing the data is key. Encryption can achieve protection for data in motion and for data at rest. No specific encryption strength is mandatory, but it is recommended that decryption tools be stored in a different location from the encrypted data (Khansa et al., 2012). DMS has access control for ephi data stored within Amazon s Simple Storage Service (S3). S3 provides storage infrastructure that can be used to achieve HIPAA compliance per Amazon (Amazon Web Services, n.d.). There are two types of data in the system: persistent and transient (Suciu, 2012). Transient data reside in the RAM (random access memory) of the device and are de-allocated once the session is over. Persistent data reside in a database or file. Persistent data can be made available to more than one user. Persistent data are generally usergenerated. Persistent data are stored within S3. To process the persistent data, the system uses a dedicated, HIPAA compliant Virtual Private Cloud (VPC) within Amazon s Elastic Compute 12

13 Infrastructure (EC2). VPC s are often used as the basis for HIPAA compliant cloud infrastructure (Amazon Web Services, n.d.). Even Amazon employees do not have access to hosts within a VPC (Amazon Web Services, n.d.). Network connectivity from the secured room is limited to a single, isolated Virtual Local Area Network (VLAN) that connects to the DMS firewall. Equipment connected to the VLAN is registered, logged, and audited using Media Access Control (MAC) Access Control Lists by the DMS Security Administrator. DMS s firewall connects to the secure room s VLAN via a pre-shared key Internet Protocol Security (IPsec) VPN to Amazon s VPC. This connection process provides industry standard for in-flight encryption. The Amazon VPC itself is entirely disconnected from all other Internet and internal networks with the single exception of connectivity to S3 storage which is dedicated to only DMS processing of ephi data. Connectivity between the VPC and S3 takes place over Secure Socket Layer (SSL). Similar to IPsec, SSL encrypts all data transmissions between the endpoints using pre-shared keys. DMS uses Pretty Good Privacy (PGP) software for at-rest encryption on all equipment in the secure room. DMS securely wipes hard drives before removal or decommissioning from the secure room; or destroys the drive if it is no longer accessible. Within S3, data are encrypted two ways: DMS takes advantage of both the server-side and the client-side encryption for the data. S3 s server-side encryption is transparent and provides a high-level of security for the hosted data. Amazon S3 Server Side Encryption employs Advanced Encryption Standard (AES) 256, which has been adopted by the US Government (Amazon Web Services, n.d.). Server side encryption renders the data useless unless the client requesting the data is first authenticated (Samson, 2010). The requester must be authorized to access the specific object requested. In 13

14 addition to the server-side encryption, DMS utilizes additional client-side mechanism that encrypts the data before it is ever transmitted or stored within the VPC. DMS has engaged Gazzang to aid in data at-rest and in-flight encryption. Gazzang is a company that protects sensitive information and maintains performance in big data and cloud environments with advance encryption. This platform separates key management storage from the host. Using this approach, keys are not co-located with the data, which means even if the system is compromised at the root or physical level, the key remains secure and the data cannot be decrypted. Applying client-side encryption prior to pushing the data into the cloud ensures that the data are doubly encrypted at all stages in the process. While in transit, the bytes traversing the network are encrypted at the data layer and the network layer. Data processing of the transient information is protected during transmission. For analytics, DMS uses Amazon s Elastic Map Reduce (EMR) infrastructure. EMR is a map reducing framework that allows data scientists to execute ad-hoc queries against large datasets. Gazzang s is specifically designed to provide the secure infrastructure required to run data analytics, ensuring that all transient data generated during the processing are also secure. The hosts in the VPC are in use for a short period of time and then destroyed, along with all transactional monitor activity within the system to detect malicious behavior. DMS leverages Gazzang s capability, which provides audit logs for key management and access. S3 provides audit log mechanisms for data access. Methodology An extensive literature review was conducted through the National University s Online Library. Keywords used in the process of searching for peer-reviewed evidence included but were not limited to: Health Information Technology for Economic and Clinical Health, HITECH 14

15 Act, American Recovery and Reinvestment Act, ARRA, omnibus rule, breach notification, subcontractors, covered entities, Health Insurance Portability and Accountability Act of 1996, HIPAA, final rule, security, privacy, cloud computing, compliance, safeguard, and security. A reference librarian was contacted who helped focus the search terms to retrieve additional publications within the past five years. The key search terms were HIPAA in the cloud, HIPAA AND cloud, cloud computing, cloud computing AND compliance, security rule OR HIPAA AND cloud, subcontractor OR business associate AND HIPAA OR compliance AND cloud, cloud AND certification OR compliance, omnibus rule AND cloud, final rule AND cloud, cloud AND security AND compliance, privacy AND cloud OR HIPAA, HIPAA security rule safeguard, HIPAA security rule, HIPAA administrative. Due to the recent development in regulation and evolving technological advancements, careful consideration was made to ensure that the majority of literature reviewed was current in accordance with the omnibus final rule of Vendor claims were used as relevant to emerging technologies, standards, and certifications. Expert opinion of industry leaders were reviewed as content on HIPAA in the cloud is a new area not sufficiently documented in publications or on vendor websites. Compliance strategies remained a focal point for the analysis of how the HIPAA compliance can be achieved in a cloud environment. Media sources were cataloged according to the source rubric. The criteria to include media sources were evaluated based on the following criteria: Establishes guidelines for reaching security compliance Analyses of ephi challenges in cloud environment Analyses of public cloud computing infrastructure 15

16 Evaluates security compliance in cloud environment Reviews the impact of omnibus rule to subcontractors Evaluation of the Evidence A rubric for measuring the evidence of each media source was scaled as followed: 1 = meta-analysis, 2 = single research study, 3 = case study, 4 = review article, 5 = expert opinion, 6 = vendor claims, and 7 = personal experience. Results of the media source analysis are displayed below. Media Resource Rating Quality Narrative Bender, Review of privacy and security rules and challenges in cloud computing from a legal perspective Business Associates Comprehensive definition of business associates and impact of final rule Complete & easy HIPAA compliance, Comprehensive review of HIPAA compliance requirements to mitigate cloud computing risks Federal Register Source of truth contains final rule Hamami, Review of seven factors for healthcare providers HIPAA Hurdles, Review of regulatory rule and impact to healthcare providers HITRUST, Very technical review of cloud security solutions and alliances DMS Draft HIPAA Strategy Expert opinion of author s inside analysis of business policies and procedures Khansa et al., Review of proposed cloud computing solutions for large-scale data sets Laudon & Laudon, Comprehensive technical approach review Love, Review of privacy ethics and compliance to protect ephi Ouellette, 2012a 4 Comprehensive analysis derived from systematic review of HIPAA security rule administrative safeguards Ouellette, 2012b 4 Comprehensive analysis derived from systematic review of HIPAA security rule physical safeguards Ouellette, 2012c 4 Comprehensive analysis derived from systematic review of HIPAA security rule technical safeguards 16

17 Media Resource Rating Quality Narrative Samson, Technical security review of cloud computing solutions for companies wrestling with large-scale data sets Suciu, Technical review of database infrastructure Witt, Review of HIPAA in the cloud compliance and adoption strategies Expert opinion and clearly defines challenges Figure 1: Media Resources Chart 17

18 Synthesis and Summary The HIPAA Security Rule imposes requirements upon covered entities which now extend to business associates including subcontractors. The requirements ensure the confidentiality, availability, and integrity of ephi as much as possible. In addition, the security rule provides reasonable safeguards against security threats and protects against impermissible disclosure and uses of the data. The security rule is not rigid and allows for some flexibility in the implementation allowing for consideration of the organization s size, capabilities, infrastructure, and complexity. There are standards and implementation specifications which are either mandatory or addressable. The implementation specifications are guidelines meant to establish or implement procedures, but do not provide sufficient direction on how to actually achieve the requirement. Administrative safeguards, which comprise over half of the HIPAA security requirements can be achieved by security management processes; security awareness and training; and security incident response procedures and contingency planning (Khansa, et al., 2012, p. 57). Cloud providers must comply with industry standards and offer, HIPAA-compliant tools for accessing service endpoints, such as cryptography and authentication technologies, and access control, audit, and tokenization services (Khansa, et al., 2012, p. 57). The National Institute of Standards and Technology (NIST) Guidelines of Security and Privacy in Public Cloud Computing report, enumerated security and privacy challenges on the cloud as governance, compliance, data ownership and risk management, architecture, identity and access management (IAM), availability, and incident response (Khansa, et al., 2012, p. 57). There is an abundance of regulatory compliance standards that emphasize the need to monitor and track network activities in real-time to ensure confidential enterprise assets are 18

19 maintained at a high level of security. This includes network compliance audit reports on demand when auditors request documentation of network security compliance. Failure to follow the regulatory compliance audit guidelines can result in severe penalties for non-compliance. Maintaining and proving compliance in cloud computing with security policies is not sufficient. Additional focus is needed for compliance including breach notification, data disclosures, audits, and business continuity. Proactive measures are required to implement network security processes for detecting and reporting network anomalies. Breaches and other vulnerabilities that can affect the security of the sensitive information of the enterprise must be reported and corrected as soon as possible. Auditors use network logs, a text file containing information about network related events, to authenticate security incidents and observe what measures the organization takes to prevent their network from being compromised Controlling access to the data in the cloud requires implementing many safeguards and business agreements to protect patient privacy interest and reduce liability. The cloud provider should provide an account of all access to the servers and storage by anyone within their organization. The business agreement should include financial penalties and indemnify the healthcare provider in case there is a breach. As a subcontractor, DMS must comply with the mandatory requirements. HIPAA compliance in the cloud is achievable. DMS has demonstrated compliance of the security rule physical and technical safeguards. Unfortunately, DMS would not pass a HIPAA compliance audit today because the necessary administrative safeguards are not in place. Recommendations Recommendations and guidelines are very helpful, but what are lacking are industry wide standards and a certified compliance process which would provide legal protection from subsequently finding a security violation. The Health Information Trust Alliance (HITRUST) 19

20 and Cloud Security Alliance (CSA) are collaborating together on cloud security initiatives to improve security and compliance in the healthcare industry. CSA stressed the importance of emphasizing business information security control requirements, normalizing cloud taxonomy, and encouraging consistent security measures (HITRUST, 2010). The partnership with HITRUST and CSA will further promote education and best practices for securing healthcare data in cloud environments. DMS can achieve HIPAA security compliance in the cloud if the following HHS recommended processes is followed. Conduct a gap analysis comparing existing policies and procedures to new requirements Conduct regular security risk assessments Identify and document business associate and subcontractor relationships Verify that agreements are in place and updated as necessary Use OCR s HIPAA Omnibus Rule-compliant business associate agreement forms Develop or update HIPAA compliance programs Revise breach notification policies and procedures Update training and provide ongoing awareness communications Monitor compliance and risks 20

21 Appendix A 21

22 22

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Table of Contents Introduction... 1 1. Administrative Safeguards...

More information

HIPAA Compliance Guide

HIPAA Compliance Guide HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care

More information

HIPAA Compliance Guide

HIPAA Compliance Guide HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care

More information

Healthcare Compliance Solutions

Healthcare Compliance Solutions Privacy Compliance Healthcare Compliance Solutions Trust and privacy are essential for building meaningful human relationships. Let Protected Trust be your Safe Harbor The U.S. Department of Health and

More information

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant 1 HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant Introduction U.S. healthcare laws intended to protect patient information (Protected Health Information or PHI) and the myriad

More information

Datto Compliance 101 1

Datto Compliance 101 1 Datto Compliance 101 1 Overview Overview This document provides a general overview of the Health Insurance Portability and Accounting Act (HIPAA) compliance requirements for Managed Service Providers (MSPs)

More information

HIPAA Security Rule Compliance

HIPAA Security Rule Compliance HIPAA Security Rule Compliance Caryn Reiker MAXIS360 HIPAA Security Rule Compliance what is it and why you should be concerned about it Table of Contents About HIPAA... 2 Who Must Comply... 2 The HIPAA

More information

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 5. 2. Security Standards - Organizational, Security Policies Standards & Procedures, - Administrative and Documentation Safeguards

More information

Healthcare Compliance Solutions

Healthcare Compliance Solutions Healthcare Compliance Solutions Let Protected Trust be your Safe Harbor In the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH), the U.S. Department of Health and Human

More information

Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE

Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE [ Hosting for Healthcare: Addressing the Unique Issues of Health IT & Achieving End-to-End Compliance

More information

HIPAA Compliance: Are you prepared for the new regulatory changes?

HIPAA Compliance: Are you prepared for the new regulatory changes? HIPAA Compliance: Are you prepared for the new regulatory changes? Baker Tilly CARIS Innovation, Inc. April 30, 2013 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed

More information

HIPAA COMPLIANCE AND DATA PROTECTION. sales@eaglenetworks.it +39 030 201.08.25 Page 1

HIPAA COMPLIANCE AND DATA PROTECTION. sales@eaglenetworks.it +39 030 201.08.25 Page 1 HIPAA COMPLIANCE AND DATA PROTECTION sales@eaglenetworks.it +39 030 201.08.25 Page 1 CONTENTS Introduction..... 3 The HIPAA Security Rule... 4 The HIPAA Omnibus Rule... 6 HIPAA Compliance and EagleHeaps

More information

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES HIPAA COMPLIANCE Achieving HIPAA Compliance with Security Professional Services The Health Insurance

More information

HIPAA Security Alert

HIPAA Security Alert Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information

More information

IBM Internet Security Systems. The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview

IBM Internet Security Systems. The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview IBM Internet Security Systems The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview Health Insurance Portability and Accountability Act

More information

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics HIPAA Security S E R I E S Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical

More information

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com HIPAA Privacy Rule Sets standards for confidentiality and privacy of individually

More information

VMware vcloud Air HIPAA Matrix

VMware vcloud Air HIPAA Matrix goes to great lengths to ensure the security and availability of vcloud Air services. In this effort VMware has completed an independent third party examination of vcloud Air against applicable regulatory

More information

HIPAA/HITECH: A Guide for IT Service Providers

HIPAA/HITECH: A Guide for IT Service Providers HIPAA/HITECH: A Guide for IT Service Providers Much like Arthur Dent in the opening scene of The Hitchhiker s Guide to the Galaxy (HHGTTG), you re experiencing the impact of new legislation that s infringing

More information

Bridging the HIPAA/HITECH Compliance Gap

Bridging the HIPAA/HITECH Compliance Gap CyberSheath Healthcare Compliance Paper www.cybersheath.com -65 Bridging the HIPAA/HITECH Compliance Gap Security insights that help covered entities and business associates achieve compliance According

More information

HIPAA Security Checklist

HIPAA Security Checklist HIPAA Security Checklist The following checklist summarizes HIPAA Security Rule requirements that should be implemented by covered entities and business associates. The citations are to 45 CFR 164.300

More information

HIPAA and HITECH Compliance for Cloud Applications

HIPAA and HITECH Compliance for Cloud Applications What Is HIPAA? The healthcare industry is rapidly moving towards increasing use of electronic information systems - including public and private cloud services - to provide electronic protected health

More information

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS Thank you for taking the time to fill out the privacy & security checklist. Once completed, this checklist will help us get a better

More information

HIPAA Privacy & Security White Paper

HIPAA Privacy & Security White Paper HIPAA Privacy & Security White Paper Sabrina Patel, JD +1.718.683.6577 sabrina@captureproof.com Compliance TABLE OF CONTENTS Overview 2 Security Frameworks & Standards 3 Key Security & Privacy Elements

More information

HIPAA COMPLIANCE AND

HIPAA COMPLIANCE AND INTRONIS CLOUD BACKUP & RECOVERY HIPAA COMPLIANCE AND DATA PROTECTION CONTENTS Introduction 3 The HIPAA Security Rule 4 The HIPAA Omnibus Rule 6 HIPAA Compliance and Intronis Cloud Backup and Recovery

More information

SECURITY RISK ASSESSMENT SUMMARY

SECURITY RISK ASSESSMENT SUMMARY Providers Business Name: Providers Business Address: City, State, Zip Acronyms NIST FIPS PHI EPHI BA CE EHR HHS IS National Institute of Standards and Technology Federal Information Process Standards Protected

More information

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES CONTENTS Introduction 3 Brief Overview of HIPPA Final Omnibus Rule 3 Changes to the Definition of Business Associate

More information

Securing the FOSS VistA Stack HIPAA Baseline Discussion. Jack L. Shaffer, Jr. Chief Operations Officer

Securing the FOSS VistA Stack HIPAA Baseline Discussion. Jack L. Shaffer, Jr. Chief Operations Officer Securing the FOSS VistA Stack HIPAA Baseline Discussion Jack L. Shaffer, Jr. Chief Operations Officer HIPAA as Baseline of security: To secure any stack which contains ephi (electonic Protected Health

More information

Privacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by:

Privacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by: HIPAA Privacy Officer Orientation Presented by: Cathy Montgomery, RN Privacy Officer Job Description Serve as leader Develop Policies and Procedures Train staff Monitor activities Manage Business Associates

More information

The HIPAA Security Rule: Cloudy Skies Ahead?

The HIPAA Security Rule: Cloudy Skies Ahead? The HIPAA Security Rule: Cloudy Skies Ahead? Presented and Prepared by John Kivus and Emily Moseley Wood Jackson PLLC HIPAA and the Cloud In the past several years, the cloud has become an increasingly

More information

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics HIPAA SERIES Topics 1. 101 for Covered Entities 2. Standards - Administrative Safeguards 3. Standards - Physical Safeguards 4. Standards - Technical Safeguards 5. Standards - Organizational, Policies &

More information

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification Type of Policy and Procedure Comments Completed Privacy Policy to Maintain and Update Notice of Privacy Practices

More information

White Paper. HIPAA-Regulated Enterprises. Paper Title Here

White Paper. HIPAA-Regulated Enterprises. Paper Title Here White Paper White Endpoint Paper Backup Title Compliance Here Additional Considerations Title for Line HIPAA-Regulated Enterprises A guide for White IT professionals Paper Title Here in healthcare, pharma,

More information

HIPAA Information Security Overview

HIPAA Information Security Overview HIPAA Information Security Overview Security Overview HIPAA Security Regulations establish safeguards for protected health information (PHI) in electronic format. The security rules apply to PHI that is

More information

PRIVACY POLICIES AND FORMS FOR BUSINESS ASSOCIATES

PRIVACY POLICIES AND FORMS FOR BUSINESS ASSOCIATES PRIVACY POLICIES AND FORMS FOR BUSINESS ASSOCIATES TABLE OF CONTENTS A. Overview of HIPAA Compliance Program B. General Policies 1. Glossary of Defined Terms Used in HIPAA Policies and Procedures 2. Privacy

More information

Ensuring HIPAA Compliance with eztechdirect Online Backup and Archiving Services

Ensuring HIPAA Compliance with eztechdirect Online Backup and Archiving Services Ensuring HIPAA Compliance with eztechdirect Online Backup and Archiving Services Introduction Patient privacy continues to be a chief topic of concern as technology continues to evolve. Now that the majority

More information

CHIS, Inc. Privacy General Guidelines

CHIS, Inc. Privacy General Guidelines CHIS, Inc. and HIPAA CHIS, Inc. provides services to healthcare facilities and uses certain protected health information (PHI) in connection with performing these services. Therefore, CHIS, Inc. is classified

More information

RAYSAFE S1 SECURITY WHITEPAPER VERSION B. RaySafe S1 SECURITY WHITEPAPER

RAYSAFE S1 SECURITY WHITEPAPER VERSION B. RaySafe S1 SECURITY WHITEPAPER RaySafe S1 SECURITY WHITEPAPER Contents 1. INTRODUCTION 2 ARCHITECTURE OVERVIEW 2.1 Structure 3 SECURITY ASPECTS 3.1 Security Aspects for RaySafe S1 Data Collector 3.2 Security Aspects for RaySafe S1 cloud-based

More information

HIPAA Security COMPLIANCE Checklist For Employers

HIPAA Security COMPLIANCE Checklist For Employers Compliance HIPAA Security COMPLIANCE Checklist For Employers All of the following steps must be completed by April 20, 2006 (April 14, 2005 for Large Health Plans) Broadly speaking, there are three major

More information

efolder White Paper: HIPAA Compliance

efolder White Paper: HIPAA Compliance efolder White Paper: HIPAA Compliance October 2014 Copyright 2014, efolder, Inc. Abstract This paper outlines how companies can use certain efolder services to facilitate HIPAA and HITECH compliance within

More information

WHITEPAPER XMEDIUSFAX CLOUD FOR HEALTHCARE AND HIPAA COMPLIANCE

WHITEPAPER XMEDIUSFAX CLOUD FOR HEALTHCARE AND HIPAA COMPLIANCE WHITEPAPER XMEDIUSFAX CLOUD FOR HEALTHCARE AND HIPAA COMPLIANCE INTRODUCTION The healthcare industry is driven by many specialized documents. Each day, volumes of critical information are sent to and from

More information

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, 2014 2:15pm 3:30pm

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, 2014 2:15pm 3:30pm Electronic Health Records: Data Security and Integrity of e-phi Worcester, MA Wednesday, 2:15pm 3:30pm Agenda Introduction Learning Objectives Overview of HIPAA HIPAA: Privacy and Security HIPAA: The Security

More information

HIPAA PRIVACY AND SECURITY AWARENESS

HIPAA PRIVACY AND SECURITY AWARENESS HIPAA PRIVACY AND SECURITY AWARENESS Introduction The Health Insurance Portability and Accountability Act (known as HIPAA) was enacted by Congress in 1996. HIPAA serves three main purposes: To protect

More information

HIPAA Audit Processes HIPAA Audit Processes. Erik Hafkey Rainer Waedlich

HIPAA Audit Processes HIPAA Audit Processes. Erik Hafkey Rainer Waedlich HIPAA Audit Processes Erik Hafkey Rainer Waedlich 1 Policies for all HIPAA relevant Requirements and Regulations Checklist for an internal Audit Process Documentation of the compliance as Preparation for

More information

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice Appendix 4-2: Administrative, Physical, and Technical Safeguards Breach Notification Rule How Use this Assessment The following sample risk assessment provides you with a series of sample questions help

More information

Overview of the HIPAA Security Rule

Overview of the HIPAA Security Rule Office of the Secretary Office for Civil Rights () Overview of the HIPAA Security Rule Office for Civil Rights Region IX Alicia Cornish, EOS Sheila Fischer, Supervisory EOS Topics Upon completion of this

More information

Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance

Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance White Paper Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance Troy Herrera Sr. Field Solutions Manager Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA

More information

OCR UPDATE Breach Notification Rule & Business Associates (BA)

OCR UPDATE Breach Notification Rule & Business Associates (BA) OCR UPDATE Breach Notification Rule & Business Associates (BA) Alicia Galan Supervisory Equal Opportunity Specialist March 7, 2014 HITECH OMNIBUS A Reminder of What s Included: Final Modifications of the

More information

OCRA Spring Convention ~ 2014 Phyllis Craver Lykken, RPR, CLR, CCR 2463. Court Reporters and HIPAA

OCRA Spring Convention ~ 2014 Phyllis Craver Lykken, RPR, CLR, CCR 2463. Court Reporters and HIPAA Court Reporters and HIPAA OCRA Spring Convention ~ 2014 Phyllis Craver Lykken, RPR, CLR, CCR 2463 1 What Exactly is HIPAA? HIPAA is an acronym for the Health Insurance Portability and Accountability Act

More information

HIPAA Security Rule Safeguards Recommended Standards Developed by: USF HIPAA Security Team May 12, 2005

HIPAA Security Rule Safeguards Recommended Standards Developed by: USF HIPAA Security Team May 12, 2005 INTRODUCTION HIPAA Security Rule Safeguards Recommended Standards Developed by: USF HIPAA Security Team May 12, 2005 The Health Insurance Portability and Accountability Act (HIPAA) Security Rule, as a

More information

An Oracle White Paper December 2010. Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance

An Oracle White Paper December 2010. Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance An Oracle White Paper December 2010 Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance Executive Overview... 1 Health Information Portability and Accountability Act Security

More information

HIPAA Compliance and the Protection of Patient Health Information

HIPAA Compliance and the Protection of Patient Health Information HIPAA Compliance and the Protection of Patient Health Information WHITE PAPER By Swift Systems Inc. April 2015 Swift Systems Inc. 7340 Executive Way, Ste M Frederick MD 21704 1 Contents HIPAA Compliance

More information

M E M O R A N D U M. Definitions

M E M O R A N D U M. Definitions M E M O R A N D U M DATE: November 10, 2011 TO: FROM: RE: Krevolin & Horst, LLC HIPAA Obligations of Business Associates In connection with the launch of your hosted application service focused on practice

More information

Security Is Everyone s Concern:

Security Is Everyone s Concern: Security Is Everyone s Concern: What a Practice Needs to Know About ephi Security Mert Gambito Hawaii HIE Compliance and Privacy Officer July 26, 2014 E Komo Mai! This session s presenter is Mert Gambito

More information

2011 2012 Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec.

2011 2012 Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec. The OCR Auditors are coming - Are you next? What to Expect and How to Prepare On June 10, 2011, the U.S. Department of Health and Human Services Office for Civil Rights ( OCR ) awarded KPMG a $9.2 million

More information

Ensuring HIPAA Compliance with AcclaimVault Online Backup and Archiving Services

Ensuring HIPAA Compliance with AcclaimVault Online Backup and Archiving Services Ensuring HIPAA Compliance with AcclaimVault Online Backup and Archiving Services 1 Contents 3 Introduction 5 The HIPAA Security Rule 7 HIPAA Compliance & AcclaimVault Backup 8 AcclaimVault Security and

More information

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011 Nationwide Review of CMS s HIPAA Oversight Brian C. Johnson, CPA, CISA Wednesday, January 19, 2011 1 WHAT I DO Manage Region IV IT Audit and Advance Audit Technique Staff (AATS) IT Audit consists of 8

More information

Ensuring HIPAA Compliance with Pros 4 Technology Online Backup and Archiving Services

Ensuring HIPAA Compliance with Pros 4 Technology Online Backup and Archiving Services Ensuring HIPAA Compliance with Pros 4 Technology Online Backup and Archiving Services Introduction Patient privacy has become a major topic of concern over the past several years. With the majority of

More information

New HIPAA regulations require action. Are you in compliance?

New HIPAA regulations require action. Are you in compliance? New HIPAA regulations require action. Are you in compliance? Mary Harrison, JD Tami Simon, JD May 22, 2013 Discussion topics Introduction Remembering the HIPAA Basics HIPAA Privacy Rules HIPAA Security

More information

Policies and Compliance Guide

Policies and Compliance Guide Brooklyn Community Services Policies and Compliance Guide relating to the HIPAA Security Rule June 2013 Table of Contents INTRODUCTION... 3 GUIDE TO BCS COMPLIANCE WITH THE HIPAA SECURITY REGULATION...

More information

The Impact of HIPAA and HITECH

The Impact of HIPAA and HITECH The Health Insurance Portability & Accountability Act (HIPAA), enacted 8/21/96, was created to protect the use, storage and transmission of patients healthcare information. This protects all forms of patients

More information

HIPAA Security Rule Compliance and Health Care Information Protection

HIPAA Security Rule Compliance and Health Care Information Protection HIPAA Security Rule Compliance and Health Care Information Protection How SEA s Solution Suite Ensures HIPAA Security Rule Compliance Legal Notice: This document reflects the understanding of Software

More information

HIPAA: Compliance Essentials

HIPAA: Compliance Essentials HIPAA: Compliance Essentials Presented by: Health Security Solutions August 15, 2014 What is HIPAA?? HIPAA is Law that governs a person s ability to qualify immediately for health coverage when they change

More information

HIPAA Security. 5 Security Standards: Organizational, Policies. Security Topics. and Procedures and Documentation Requirements

HIPAA Security. 5 Security Standards: Organizational, Policies. Security Topics. and Procedures and Documentation Requirements HIPAA Security S E R I E S Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical

More information

Protecting Patient Information in an Electronic Environment- New HIPAA Requirements

Protecting Patient Information in an Electronic Environment- New HIPAA Requirements Protecting Patient Information in an Electronic Environment- New HIPAA Requirements SD Dental Association Holly Arends, RHIT Clinical Program Manager Meet the Speaker TRUST OBJECTIVES Overview of HIPAA

More information

ITS HIPAA Security Compliance Recommendations

ITS HIPAA Security Compliance Recommendations ITS HIPAA Security Compliance Recommendations October 24, 2005 Updated May 31, 2010 http://its.uncg.edu/hipaa/security/ Table of Contents Introduction...1 Purpose of this Document...1 Important Terms...1

More information

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER With technology everywhere we look, the technical safeguards required by HIPAA are extremely important in ensuring that our information

More information

HIPAA HANDBOOK. Keeping your backup HIPAA-compliant

HIPAA HANDBOOK. Keeping your backup HIPAA-compliant The federal Health Insurance Portability and Accountability Act (HIPAA) spells out strict regulations for protecting health information. HIPAA is expansive and can be a challenge to navigate. Use this

More information

The HIPAA Audit Program

The HIPAA Audit Program The HIPAA Audit Program Anna C. Watterson Davis Wright Tremaine LLP The U.S. Department of Health and Human Services (HHS) was given authority, and a mandate, to conduct periodic audits of HIPAA 1 compliance

More information

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE How to Use this Assessment The following risk assessment provides you with a series of questions to help you prioritize the development and implementation

More information

Montclair State University. HIPAA Security Policy

Montclair State University. HIPAA Security Policy Montclair State University HIPAA Security Policy Effective: June 25, 2015 HIPAA Security Policy and Procedures Montclair State University is a hybrid entity and has designated Healthcare Components that

More information

Managing Cloud Computing Risk

Managing Cloud Computing Risk Managing Cloud Computing Risk Presented By: Dan Desko; Manager, Internal IT Audit & Risk Advisory Services Schneider Downs & Co. Inc. ddesko@schneiderdowns.com Learning Objectives Understand how to identify

More information

Solution Brief for HIPAA HIPAA. Publication Date: Jan 27, 2015. EventTracker 8815 Centre Park Drive, Columbia MD 21045

Solution Brief for HIPAA HIPAA. Publication Date: Jan 27, 2015. EventTracker 8815 Centre Park Drive, Columbia MD 21045 Publication Date: Jan 27, 2015 8815 Centre Park Drive, Columbia MD 21045 HIPAA About delivers business critical software and services that transform high-volume cryptic log data into actionable, prioritized

More information

My Docs Online HIPAA Compliance

My Docs Online HIPAA Compliance My Docs Online HIPAA Compliance Updated 10/02/2013 Using My Docs Online in a HIPAA compliant fashion depends on following proper usage guidelines, which can vary based on a particular use, but have several

More information

Using Data Encryption to Achieve HIPAA Safe Harbor in the Cloud

Using Data Encryption to Achieve HIPAA Safe Harbor in the Cloud Using Data Encryption to Achieve HIPAA Safe Harbor in the Cloud 1 Contents The Obligation to Protect Patient Data in the Cloud................................................... Complying with the HIPAA

More information

HIPAA compliance audit: Lessons learned apply to dental practices

HIPAA compliance audit: Lessons learned apply to dental practices HIPAA compliance audit: Lessons learned apply to dental practices Executive summary In 2013, the Health Insurance Portability and Accountability Act (HIPAA) of 1996 Omnibus Rule put healthcare providers

More information

Ensuring HIPAA Compliance with Computer BYTES Online Backup and Archiving Services

Ensuring HIPAA Compliance with Computer BYTES Online Backup and Archiving Services Ensuring HIPAA Compliance with Computer BYTES Online Backup and Archiving Services Page 2 of 8 Introduction Patient privacy has become a major topic of concern over the past several years. With the majority

More information

Solutions Brief. Citrix Solutions for Healthcare and HIPAA Compliance. citrix.com/healthcare

Solutions Brief. Citrix Solutions for Healthcare and HIPAA Compliance. citrix.com/healthcare Solutions Brief Citrix Solutions for Healthcare and HIPAA Compliance citrix.com/healthcare While most people are well aware of the repercussions of losing personal or organizational data from identity

More information

White Paper. Support for the HIPAA Security Rule PowerScribe 360

White Paper. Support for the HIPAA Security Rule PowerScribe 360 White Paper Support for the HIPAA Security Rule PowerScribe 360 2 Summary This white paper is intended to assist Nuance customers who are evaluating the security aspects of the PowerScribe 360 system as

More information

Deciphering the Safe Harbor on Breach Notification: The Data Encryption Story

Deciphering the Safe Harbor on Breach Notification: The Data Encryption Story Deciphering the Safe Harbor on Breach Notification: The Data Encryption Story Healthcare organizations planning to protect themselves from breach notification should implement data encryption in their

More information

Leveraging Dedicated Servers and Dedicated Private Cloud for HIPAA Security and Compliance

Leveraging Dedicated Servers and Dedicated Private Cloud for HIPAA Security and Compliance ADVANCED INTERNET TECHNOLOGIES, INC. https://www.ait.com Leveraging Dedicated Servers and Dedicated Private Cloud for HIPAA Security and Compliance Table of Contents Introduction... 2 Encryption and Protection

More information

WHITE PAPER. HIPAA-Compliant Data Backup and Disaster Recovery

WHITE PAPER. HIPAA-Compliant Data Backup and Disaster Recovery WHITE PAPER HIPAA-Compliant Data Backup and Disaster Recovery DOCUMENT INFORMATION HIPAA-Compliant Data Backup and Disaster Recovery PRINTED March 2011 COPYRIGHT Copyright 2011 VaultLogix, LLC. All Rights

More information

The HIPAA Security Rule Primer A Guide For Mental Health Practitioners

The HIPAA Security Rule Primer A Guide For Mental Health Practitioners The HIPAA Security Rule Primer A Guide For Mental Health Practitioners Distributed by NASW Printer-friendly PDF 2006 APAPO 1 Contents Click on any title below to jump to that page. 1 What is HIPAA? 3 2

More information

HIPAA Security Matrix

HIPAA Security Matrix HIPAA Matrix Hardware : 164.308(a)(1) Management Process =Required, =Addressable Risk Analysis The Covered Entity (CE) can store its Risk Analysis document encrypted and offsite using EVault managed software

More information

WHITE PAPER. Support for the HIPAA Security Rule RadWhere 3.0

WHITE PAPER. Support for the HIPAA Security Rule RadWhere 3.0 WHITE PAPER Support for the HIPAA Security Rule RadWhere 3.0 SUMMARY This white paper is intended to assist Nuance customers who are evaluating the security aspects of the RadWhere 3.0 system as part of

More information

Business Associate Management Methodology

Business Associate Management Methodology Methodology auxilioinc.com 844.874.0684 Table of Contents Methodology Overview 3 Use Case 1: Upstream of s I manage business associates 4 System 5 Use Case 2: Eco System of s I manage business associates

More information

HIPAA and Mental Health Privacy:

HIPAA and Mental Health Privacy: HIPAA and Mental Health Privacy: What Social Workers Need to Know Presenter: Sherri Morgan, JD, MSW Associate Counsel, NASW Legal Defense Fund and Office of Ethics & Professional Review 2010 National Association

More information

6/17/2013 PRESENTED BY: Updates on HIPAA, Data, IT and Security Technology. June 25, 2013

6/17/2013 PRESENTED BY: Updates on HIPAA, Data, IT and Security Technology. June 25, 2013 Updates on HIPAA, Data, IT and Security Technology June 25, 2013 1 The material appearing in this presentation is for informational purposes only and should not be construed as advice of any kind, including,

More information

When HHS Calls, Will Your Plan Be HIPAA Compliant?

When HHS Calls, Will Your Plan Be HIPAA Compliant? When HHS Calls, Will Your Plan Be HIPAA Compliant? Petula Workman, J.D., CEBS Division Vice President Compliance Counsel Gallagher Benefit Services, Inc., Sugar Land, Texas The opinions expressed in this

More information

HIPAA Compliance Review Analysis and Summary of Results

HIPAA Compliance Review Analysis and Summary of Results HIPAA Compliance Review Analysis and Summary of Results Centers for Medicare & Medicaid Services (CMS) Office of E-Health Standards and Services (OESS) Reviews 2008 Table of Contents Introduction 1 Risk

More information

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What? HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What? Introduction This material is designed to answer some of the commonly asked questions by business associates and other organizations

More information

Support for the HIPAA Security Rule

Support for the HIPAA Security Rule WHITE PAPER Support for the HIPAA Security Rule PowerScribe 360 Reporting v2.0 HEALTHCARE 2 SUMMARY This white paper is intended to assist Nuance customers who are evaluating the security aspects of PowerScribe

More information

HIPAA PRIVACY AND SECURITY FOR EMPLOYERS

HIPAA PRIVACY AND SECURITY FOR EMPLOYERS HIPAA PRIVACY AND SECURITY FOR EMPLOYERS Agenda Background and Enforcement HIPAA Privacy and Security Rules Breach Notification Rules HPID Number Why Does it Matter HIPAA History HIPAA Title II Administrative

More information

Joseph Suchocki HIPAA Compliance 2015

Joseph Suchocki HIPAA Compliance 2015 Joseph Suchocki HIPAA Compliance 2015 Sponsored by Eagle Associates, Inc. Eagle Associates provides compliance services for over 1,200 practices nation wide. Services provided by Eagle Associates address

More information

HIPAA Security Series

HIPAA Security Series 7 Security Standards: Implementation for the Small Provider What is the Security Series? The security series of papers provides guidance from the Centers for Medicare & Medicaid Services (CMS) on the rule

More information

Authorized. User Agreement

Authorized. User Agreement Authorized User Agreement CareAccord Health Information Exchange (HIE) Table of Contents Authorized User Agreement... 3 CareAccord Health Information Exchange (HIE) Polices and Procedures... 5 SECTION

More information

Why Lawyers? Why Now?

Why Lawyers? Why Now? TODAY S PRESENTERS Why Lawyers? Why Now? New HIPAA regulations go into effect September 23, 2013 Expands HIPAA safeguarding and breach liabilities for business associates (BAs) Lawyer is considered a business

More information