Achieving HIPAA Security Rule Compliance with Lumension Solutions

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Achieving HIPAA Security Rule Compliance with Lumension Solutions"

Transcription

1 Achieving HIPAA Security Rule Compliance with Lumension Solutions Healthcare organizations face a host of HIPAA Security Rule compliance challenges with the move to put patient medical records online. Lumension helps organizations address these compliance challenges by providing the proactive risk management and the required audit readiness to meet many aspects of the HIPAA Security Rule. March 2009 WP-EN

2 Achieving HIPAA Security Rule Compliance with Lumension Solutions What Is It? The Administrative Simplification provisions of the Health Insurance Portability and Accountability Act (HIPAA) established standards for the privacy and security of protected health information, inter alia. The Security Rule is focused on protecting the confidentiality, integrity, and availability of electronic protected health information (EPHI) which is created, received, maintained, or transmitted by any covered entity against reasonably anticipated threats, hazards, and impermissible uses and/or disclosures. And, by meeting the Security Rule for EPHI, covered entities will also meet the EPHI requirements of the Privacy Rule; the Security Rule is more comprehensive than, and includes a level of detail not in, the Privacy Rule. Who Has To Comply In general, the security rules of HIPAA apply to the following covered entities: Covered Healthcare Providers - Any provider of medical or other health services which maintains and/or transmits any health information. Health Plans - Any individual or group plan that provides or pays the cost of medical care (e.g., a health insurance company or Medicare / Medicaid programs). Healthcare Clearinghouses - Any organization that processes another entity s healthcare transactions (e.g., payment or reimbursement systems). Medicare Prescription Drug Card Sponsors - Any non-governmental entity that offers an endorsed discount drug program. HIPAA Health Insurance Portability and Accountability Act of 1996 Title I Title II Title III Title IV Title V Health Care Access, Portability, and Renewability Preventing Health Care Fraud and Abuse Medical Liability Reform Administrative Simplification Tax-Related Health Provision Group Health Plan Requirements Revenue Offsets Electronic Data Interchange Transactions Identifiers Figure 1. HIPAA Components Privacy Code Sets Security Security Standards: General Rules Administrative Safeguards Technical Safeguards Physical Safeguards Organizational Requirements Policies and Procedures and Documentation Requirements

3 Achieving HIPAA Security Rule Compliance with Lumension Solutions What Are the Standards The HIPAA Security Rule is comprised of six main sections. Each of these consists of several standards and implementation specifications which must be addressed, including: Technical Safeguards are defined as the the technology and the policy and procedures for its use that protect electronic protected health information and control access to it. 3 Security Standards: General Rules Organizational Requirements includes includes the general requirements all covered standards to ensure appropriate safeguards entities must meet to ensure reasonable and are in place at business associates and others appropriate protection of EPHI. who share EPHI. 4 Administrative Safeguards are defined as the administrative actions and policies, and procedures to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity s workforce in relation to the protection of that information. 1 Physical Safeguards are defined as the physical measures, policies, and procedures to protect a covered entity s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion. 2 Policies and Procedures and Documentation Requirements ensures that covered entities have formal plans (i.e., policies, procedures and documentation) in place for the reasonable and appropriate implementation of EPHI security. 4 Each one of these safeguards consists of any number of standards; these in turn include any number of implementation specifications that are either required or addressable. If required, the covered entity must implement policies and/or procedures which meet the implementation specification requirements. If addressable, the covered entity must assess whether it is a reasonable and appropriate safeguard in their environment; if not, they must implement an equivalent alternative measure For additional information, please see For additional information, please see For additional information, please see For additional information, please see

4 Achieving HIPAA Security Rule Compliance with Lumension Solutions The HIPAA Security Rule 5 mentions several documents from the National Institute of Standards and Technology (NIST) as being potentially helpful, but not mandatory, for compliance. In October 2008, NIST published Special Publication Revision 1, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule 6. It is designed to help a) educate readers about information security terms used in the HIPAA Security Rule, b) facilitate understanding of the security standards set out in the Security Rule, and c) direct readers to other helpful NIST publications relevant to individual topics addressed in the Security Rule. Two important side notes need to be made: State laws that are contrary to the Privacy Rule and Security Rule are preempted by the Federal requirements, unless a specific exception applies. 7 Records protected by Family Educational Rights and Privacy Act (FERPA) are specifically excluded from the HIPAA Privacy Rule. This exception for records covered by FERPA applies both to the HIPAA Privacy and Security Rules, because the Security Rule applies to a subset of information covered by the Privacy Rule (i.e., electronic PHI). 8 The Challenges of Compliance The move to managed care, the need to track patient medical records, and the proposals around universal medical record systems and absolute patient portability have all brought new and complex technologies, processes and relationships into the healthcare arena. These create a number of compliance challenges with respect to the HIPAA Security Rule, including: Protecting Against Targeted Attacks. Sophisticated criminal networks are targeting medical institutions, where data theft is increasing faster than retail or banking data thefts. 9 These cyber attacks are exploiting known security flaws for which there is a remediation available 90% of the time. Protecting against known vulnerabilities and malware (viruses, trojans, et cetera) is hard enough; it s even harder when dealing with unknown threats introduced via unauthorized applications. Preventing Data Loss and/or Theft. There is the need to share medical data: to provide better care as patients see specialists; to spot and address public health issues; or to allow for research. However, the risk of accidental or malicious disclosure of patient health information must be mitigated, Federal Register / Vol. 68, No. 34 / Thursday, February 20, 2003 / Rules and Regulations See For more information, see 45 C.F.R. Part 160, Subpart B. See Joint Guidance on the Application of the Family Educational Rights and Privacy Act (FERPA) And the Health Insurance Portability and Accountability Act of 1996 (HIPAA) To Student Health Records, published by the HHS and DOE (Nov-08) (http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/hipaaferpajointguide.pdf) Poremba, Sue Marquette. Medical identity thefts on the rise. SC Magazine (August 25, 2008).

5 Achieving HIPAA Security Rule Compliance with Lumension Solutions especially if it poses a risk of identity theft or other substantial harm to an individual such as: embarrassment, inconvenience, unfairness, harm to reputation or the potential for harassment or prejudice, particularly when health or financial benefits information is involved. 10 Enforcing Security Policy. EPHI security requires a coherent and comprehensive strategy, supported by a framework of appropriate policies and technical controls. These controls must proactively enforce the security policy rather than relying on goodwill adherence. Preparing for Audits. Ever since the first HIPAA Security Rule audit of Atlanta s Piedmont Hospital in March 2007, 11 and the more recent finding by the US Department of Health and Human Services (HHS) Office of Inspector General (OIG) that the Centers for Medicare and Medicaid Services (CMS) had taken limited actions to ensure that covered entities adequately implemented the [HIPAA] Security Rule [and] had not provided effective oversight or encouraged enforcement of the HIPAA Security Rule by covered entities, 12 the healthcare industry has been on edge. The message is clear: covered entities must be prepared to face compliance audits. 13 Lowering IT Costs. Like everyone else in these trying economic times, healthcare organizations are having to do more with less. Hence, in addition to supporting the needs of staff and patients and delivering more aggressive IT service levels, it is important to maintain focus on IT costs, encompassing everything from purchase, implementation, maintenance, and on-going operations. Continued U.S.C. 552a (e)(10) Vijayan, Jaikumar. HIPAA audit at hospital riles health care IT. Computerworld (June 15, 2007). Audit (A ) entitled Nationwide Review of the Centers for Medicare & Medicaid Services Health Insurance Portability and Accountability Act of 1996 Oversight, dated See Suggested reading: Rishel et al. Refresh HIPAA Security Assessments to Prepare for More-Proactive Audits. Gartner Research ID Number: G (24 April 2008) 4

6 Achieving HIPAA Security Rule Compliance with Lumension Solutions Lumension s security management software addresses these compliance challenges by delivering vulnerability management, data protection and endpoint protection solutions which provide the proactive risk management and the required audit readiness to meet many aspects of the HIPAA Security Rule. Compliance Timeline The Privacy Rule compliance deadline for all covered entities except for small health plans 14 was April 2003; for small health plans it was April The Security Rule compliance deadline for all covered entities except for small health plans was April 2005; for small health plans it was April Complete asset identification of both managed and unmanaged assets Proactive monitoring of security configurations Full control over data flows to removable devices / media, with forced encryption to protect EPHI In February 2006 the US Department of Health and Human Services (HHS) published the final Enforcement Rule. This established the rules and procedures for the imposition of civil penalties on organizations which violate standards of the HIPAA Administrative Simplification provisions. It became effective in March Prevent malware from downloading and/or executing on network assets Taken together, these capabilities can help protect against targeted attacks, prevent data loss or theft, enforce security policies, prepare organizations for compliance audits, and lower the cost of IT security. To get a more complete understanding of how Lumension s security management software solutions can help healthcare organizations address the HIPAA Security Rule requirements, please see appendix A. Continued Defined as a health plan with annual receipts of not more than $5 million (45 C.F.R ) 5

7 Achieving HIPAA Security Rule Compliance with Lumension Solutions Financial Implications The US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for enforcing HIPAA regulations; this is because the right of privacy of medical records is considered a fundamental civil right. In order to try to put more teeth into the civil penalties, the OCR enforces the civil side and the Department of Justice (DOJ) enforces the criminal side. The breakdown of the civil penalties are not more than $100 for each violation and not more than $25,000 for all violations of identical type during a single calendar year. 17 Improperly obtaining or disclosing individual health information, or improper use of unique health identifiers are subject As previously mentioned, enforcement of HIPAA regulations is picking up steam. In fact, the recently signed stimulus package signed contains significant additions to HIPAA. The new rules include a breach notification law, forcing healthcare providers to provide notification to individuals and via prominent media outlets if more than 500 people are impacted by a breach. In addition, stricter enforcement and penalties are included, and it authorizes State Attorneys General to bring a civil action in federal District Court against individuals who violate HIPAA. to the following criminal penalties: 18 Knowingly False Pretenses For Profit, Gain, or Harm Fine $50,000 $100,000 $250,000 Prison 1 Year 5 Years 10 Years Continued U.S.C. 1320d-6 6

8 Appendix A : HIPAA Security Rule Cross Reference Appendix A The HIPAA Security Rule consists of three safeguards and two general requirements (Administrative Safeguards, Physical Safeguards, Technical Safeguards, Organizational Requirements, and Policies and Procedures and Documentation Requirements). In all, these encompass 22 Standards and 42 Implementation Specifications, of which 20 are Required and 22 are Addressable. Required Implementation Specifications are those for which the covered entity must implement policies and/or procedures which meet the implementation specification requirements. Addressable Implementation Specifications are those that the covered entity must assess whether it is a reasonable and appropriate safeguard in their environment; if not, they must implement an equivalent alternative measure. Standards without additional Implementation Specifications are also considered required. The following matrix focuses on how Lumension s security management software solutions can help healthcare organizations address the Standards and Implementation Specifications found in the Administrative Safeguards, Physical Safeguards, Technical Safeguards, and Policies and Procedures and Documentation Requirements areas. The remaining area (Organizational Requirements), while important, is not covered as Lumension does not provide additive value in this area for achieving compliance. Continued 7

9 Administrative Safeguards (a)(1) Security Management Process Risk Analysis R Understand your current risk profile: Use the free Lumension Vulnerability / Device Application Scanners to scan and analyze your entire network. Use Lumension Scan to scan your entire network for known vulnerabilities and prioritize for remediation. Use Lumension Security Configuration Management to understand configurations on various (groups of) machines, allowing you to appropriately configure different machines for their level of risk. Use Lumension Device Control to monitor and control all your endpoints for devices being connected and data flows off network. Use Lumension Application Control to monitor and enforce application usage across your network. 8

10 Administrative Safeguards Risk Management R Manage risks on / to your network: Use Lumension Patch and Remediation to update and fix known vulnerabilities. Use Lumension Device Control to control data flows off network, and to prevent the introduction of malware. Use Lumension Application Control to control what applications are used by whom, and to prevent malware from executing. Sanction Policy R Use Lumension Endpoint Security Suite to support Sanction Policies via its integrated reports (e.g., user A repeated attempts to connect a rogue device to the network). Information System Activity Review R Monitor system activity: Actively manage both your hardware and software assets, and vulnerability and patch status using Lumension Patch and Remediation. Integrate 3 rd party data into a common repository for dashboard reporting using Lumension Enterprise Reporting. Device usage and data flows using Lumension Device Control. Application usage using Lumension Application Control. 9

11 Administrative Safeguards (a)(2) Assigned Security Responsibility All Lumension solutions utilize RBAC controls for administrative actions and can be configured to support unique organizational needs (a)(3) Workforce Security Authorization and/or Supervision A Use Lumension Endpoint Security Suite to control device and application usage on your managed endpoints, no matter where / when users are logged on; includes: Control at user or group level. Can be tied to MS Active Directory or Novell edirectory. Supports zero day start / stop to limit unauthorized usage. Uses RBAC and grouping to maintain separation of duties and notion of least privilege. Workforce Clearance Procedure A Use Lumension Device Control to: Prevent unauthorized employees from downloading / transferring data off your network. Provision authorized users with encrypted devices to protect EPHI when distributed via removable media. 10

12 Administrative Safeguards Termination Procedure A Use Lumension Device Control to prevent terminated employees from downloading / transferring data off your network. Use Lumension Application Control to prevent terminated employees from executing any applications on your network (a)(4) Information Access Management Isolating Healthcare Clearinghouse Functions R N/A Access Authorization A Prevent unauthorized access: Use Lumension Scan to identify rogue network devices. Use Lumension Device Control to control / prevent access of removable devices / media which can be used to download / transfer data. Use Lumension Application Control to limit access to applications. Access Establishment and Modification A Use Lumension Endpoint Security Suite to monitor / manage access: Control / prevent access of removable devices / media which can be used to download / transfer data. Limit access to applications. Monitor all administrative actions / changes to security policy enforcement. 11

13 (a)(5) Security Awareness and Training Administrative Safeguards Security Reminders A Provide customizable messages to end users when attempting to contravene security policy; for instance: Use Lumension Device Control to control / prevent data downloads, and/or to force encryption. Use Lumension Application Control to control / prevent unauthorized use of certain applications. Protection from Malicious Software A Protect your network from malware: Use Lumension Security Configuration Management to report on configuration settings of all network assets. Use Lumension Patch and Remediation to stay up-to-date on patching and remediation of all known vulnerabilities. Use Lumension Device Control to prevent malware being downloaded from external devices (e.g., USB flash drives). Use Lumension Application Control to prevent malware from executing on your network. 12

14 Administrative Safeguards Log-in Monitoring A Look beyond network logins: Use Lumension Device Control to monitor / control / report on attempts to use removable devices and/or download data. Use Lumension Application Control to monitor / control / report on attempts to use applications or unknown applications attempting to execute. Password Management A Use Lumension Device Control to enforce existing or new (strong) password usage for encrypted devices: Implement at user or group level. Tie to existing MS Active Directory or Novell edirectory. Integrates with MS Certificate Authority. 13

15 Administrative Safeguards (a)(6) Security Incident Procedures Response and Reporting R Prevent / Report on potentially harmful incidents: Use Lumension Scan to identify known vulnerabilities on network assets. Use Lumension Security Configuration Management to scan / monitor / report configurations of all network assets. Use Lumension Patch and Remediation to update and repair known vulnerabilities to limit attack surface. Use Lumension Enterprise Reporting to report on vulnerability status of all network assets, including any third party vulnerability data. Use Lumension Device Control to limit access by removable devices / media to, and downloading of data from, your network. Use Lumension Application Control to prevent unauthorized applications from executing (a)(7) Contingency Plan Data Backup Plan R Use Lumension Device Control to force encryption of backup data being written onto external USB hard drives from workstations to prevent unauthorized usage. Disaster Recovery Plan R N/A Emergency Mode Operation Plan R N/A 14

16 Administrative Safeguards Testing and Revision Procedure A N/A Applications and Data Criticality Analysis A N/A (a)(8) Evaluation N/A (b)(1) Business Associate Contracts and Other Arrangements Written Contract or Other Arrangement R Use Lumension Device Control to force encryption of data being sent to / used by third parties to prevent unauthorized usage. 15

17 (a)(1) Facility Access Controls Physical Safeguards Contingency Operations A N/A Facility Security Plan A N/A Access Control and Validation Procedures A Control access based on user / machine rights and other factors: Use Lumension Device Control to control access by removable devices / media. Use Lumension Application Control to control access to applications. Maintenance Records A N/A (b) Workstation Use Based on user / machine rights and other factors, ensure proper usage: Use Lumension Security Configuration Management to monitor workstation configurations and manage image drift. Use Lumension Patch and Remediation to update and repair known vulnerabilities to limit attack surface. Use Lumension Device Control to control access by removable devices / media, and data flows off network. Use Lumension Application Control to control access to applications, to prevent malware from executing, and to limit application usage to specific machines. 16

18 Physical Safeguards (c) Workstation Security Based on user / machine rights and other factors, restrict network / machine access: Use Lumension Device Control to control access by removable devices / media, and data flows off network. Use Lumension Application Control to control access to applications, and preventing malware from executing (d)(1) Device and Media Controls Disposal R Use Lumension Device Control to force encryption of data being saved onto removable devices / media to prevent unauthorized usage. Media Reuse R Use Lumension Device Control to track and force encryption of data being saved onto removable devices / media to prevent unauthorized usage; can also be used to irrevocably delete any existing data on a given removable device / media. Accountability A Use Lumension Device Control to either track filename or create full copy of data being saved onto removable devices / media using patented bi-directional shadowing technology. Data Backup and Storage A Use Lumension Device Control to create full copy of data being saved onto removable devices / media. 17

19 (a)(1) Access Control Technical Safeguards Unique User Identification R Use Lumension Device Control to control access to removable devices / media and applications: Emergency Access Procedure R N/A Automatic Logoff A N/A Based on user / machine rights and other factors. Based on existing MS Active Directory or Novell edirectory structures. Use Lumension Application Control to control access to specific executables. Encryption and Decryption A Use Lumension Device Control to force encryption of data being saved onto removable devices / media to prevent unauthorized usage. 18

20 Technical Safeguards (b) Audit Controls Monitor system activity: Configurations of all network assets using Lumension Security Configuration Management. Vulnerability and patch status using Lumension Scan and Lumension Patch and Remediation. Device usage and data flows using Lumension Device Control. Application availability and usage using Lumension Application Control. Monitor both user and administrative activities using Lumension Endpoint Security Suite (c)(1) Integrity Mechanism to Authenticate Electronic Protected Health Information A Use Lumension Device Control to force encryption of data being saved onto removable devices / media to prevent unauthorized usage (d) Person or Entity Authentication Use Lumension Device Control to control access to removable devices / media and applications: Based on user / machine rights and other factors. Based on existing MS Active Directory or Novell edirectory structures (e)(1) Transmission Security Integrity Controls A Use Lumension Device Control to track and force encryption of data being saved onto removable devices / media to prevent unauthorized usage. 19

21 Technical Safeguards Encryption A Use Lumension Device Control to force encryption of data being saved onto removable devices / media to prevent unauthorized usage. 20

22 Policies and Procedure and Documentation Requirements (a) Policies and Procedures Enforce your policies and procedures: Use Lumension Scan to identify all vulnerabilities on network assets. Use Lumension Security Configuration Management to scan / monitor / report configurations of all network assets. Use Lumension Patch and Remediation to update and fix known vulnerabilities to limit attack surface. Use Lumension Enterprise Reporting to report on vulnerability status of all network assets, including any third party vulnerability data. Use Lumension Endpoint Security Suite to control device and application usage on your managed endpoints, no matter where / when users are logged on; includes: Control at user or group level. Can be tied to MS Active Directory or Novell edirectory. Supports zero day start / stop to limit unauthorized usage. Uses RBAC and grouping to maintain separation of duties and notion of least privilege (b)(1) Documentation Time Limit R N/A Availability R N/A Updates R N/A 21

23 Achieving HIPAA Security Rule Compliance with Lumension Solutions About Lumension Lumension, Inc., a global leader in operational endpoint security, develops, integrates and markets security software solutions that help businesses protect their vital information and manage critical risk across network and endpoint assets. Lumension enables more than 5,100 customers worldwide to achieve optimal security and IT success by delivering a proven and award-winning solution portfolio that includes Vulnerability Management, Endpoint Protection, Data Protection, and Reporting and Compliance offerings. Lumension is known for providing world-class customer support and services 24x7, 365 days a year. Headquartered in Scottsdale, Arizona, Lumension has operations worldwide, including Virginia, Florida, Luxembourg, the United Kingdom, Spain, Australia, India, Hong Kong and Singapore. Lumension: IT Secured. Success Optimized. More information can be found at Global Headquarters N. Greenway-Hayden Loop, Suite 100 Scottsdale, AZ USA phone: fax: Vulnerability Management Endpoint Protection Data Protection Reporting and Compliance 22

HIPAA Security Rule Compliance

HIPAA Security Rule Compliance HIPAA Security Rule Compliance Caryn Reiker MAXIS360 HIPAA Security Rule Compliance what is it and why you should be concerned about it Table of Contents About HIPAA... 2 Who Must Comply... 2 The HIPAA

More information

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics HIPAA SERIES Topics 1. 101 for Covered Entities 2. Standards - Administrative Safeguards 3. Standards - Physical Safeguards 4. Standards - Technical Safeguards 5. Standards - Organizational, Policies &

More information

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 5. 2. Security Standards - Organizational, Security Policies Standards & Procedures, - Administrative and Documentation Safeguards

More information

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Table of Contents Introduction... 1 1. Administrative Safeguards...

More information

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES HIPAA COMPLIANCE Achieving HIPAA Compliance with Security Professional Services The Health Insurance

More information

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com HIPAA Privacy Rule Sets standards for confidentiality and privacy of individually

More information

HIPAA Security. 5 Security Standards: Organizational, Policies. Security Topics. and Procedures and Documentation Requirements

HIPAA Security. 5 Security Standards: Organizational, Policies. Security Topics. and Procedures and Documentation Requirements HIPAA Security S E R I E S Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical

More information

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics HIPAA Security S E R I E S Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical

More information

Securing the FOSS VistA Stack HIPAA Baseline Discussion. Jack L. Shaffer, Jr. Chief Operations Officer

Securing the FOSS VistA Stack HIPAA Baseline Discussion. Jack L. Shaffer, Jr. Chief Operations Officer Securing the FOSS VistA Stack HIPAA Baseline Discussion Jack L. Shaffer, Jr. Chief Operations Officer HIPAA as Baseline of security: To secure any stack which contains ephi (electonic Protected Health

More information

HIPAA Security. Jeanne Smythe, UNC-CH Jack McCoy, ECU Chad Bebout, UNC-CH Doug Brown, UNC-CH

HIPAA Security. Jeanne Smythe, UNC-CH Jack McCoy, ECU Chad Bebout, UNC-CH Doug Brown, UNC-CH HIPAA Security Jeanne Smythe, UNC-CH Jack McCoy, ECU Chad Bebout, UNC-CH Doug Brown, UNC-CH What is this? Federal Regulations August 21, 1996 HIPAA Became Law October 16, 2003 Transaction Codes and Identifiers

More information

HIPAA Security Alert

HIPAA Security Alert Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information

More information

Huseman Health Law Group 3733 University Blvd. West, Suite 305-A Jacksonville, Florida 32217 Telephone (904) 448-5552 Facsimile (904) 448-5653

Huseman Health Law Group 3733 University Blvd. West, Suite 305-A Jacksonville, Florida 32217 Telephone (904) 448-5552 Facsimile (904) 448-5653 Huseman Health Law Group 3733 University Blvd. West, Suite 305-A Jacksonville, Florida 32217 Telephone (904) 448-5552 Facsimile (904) 448-5653 rusty@husemanhealthlaw.com use e Health care law firm fighting

More information

HIPAA Compliance Guide

HIPAA Compliance Guide HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care

More information

HIPAA Happenings in Hospital Systems. Donna J Brock, RHIT System HIM Audit & Privacy Coordinator

HIPAA Happenings in Hospital Systems. Donna J Brock, RHIT System HIM Audit & Privacy Coordinator HIPAA Happenings in Hospital Systems Donna J Brock, RHIT System HIM Audit & Privacy Coordinator HIPAA Health Insurance Portability and Accountability Act of 1996 Title 1 Title II Title III Title IV Title

More information

HIPAA Compliance: Are you prepared for the new regulatory changes?

HIPAA Compliance: Are you prepared for the new regulatory changes? HIPAA Compliance: Are you prepared for the new regulatory changes? Baker Tilly CARIS Innovation, Inc. April 30, 2013 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed

More information

HIPAA Security. 6 Basics of Risk Analysis and Risk Management. Security Topics

HIPAA Security. 6 Basics of Risk Analysis and Risk Management. Security Topics HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical

More information

IBM Internet Security Systems. The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview

IBM Internet Security Systems. The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview IBM Internet Security Systems The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview Health Insurance Portability and Accountability Act

More information

HIPAA Security. assistance with implementation of the. security standards. This series aims to

HIPAA Security. assistance with implementation of the. security standards. This series aims to HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical

More information

HIPAA Security Rule Compliance and Health Care Information Protection

HIPAA Security Rule Compliance and Health Care Information Protection HIPAA Security Rule Compliance and Health Care Information Protection How SEA s Solution Suite Ensures HIPAA Security Rule Compliance Legal Notice: This document reflects the understanding of Software

More information

HIPAA and Mental Health Privacy:

HIPAA and Mental Health Privacy: HIPAA and Mental Health Privacy: What Social Workers Need to Know Presenter: Sherri Morgan, JD, MSW Associate Counsel, NASW Legal Defense Fund and Office of Ethics & Professional Review 2010 National Association

More information

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, 2014 2:15pm 3:30pm

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, 2014 2:15pm 3:30pm Electronic Health Records: Data Security and Integrity of e-phi Worcester, MA Wednesday, 2:15pm 3:30pm Agenda Introduction Learning Objectives Overview of HIPAA HIPAA: Privacy and Security HIPAA: The Security

More information

HIPAA Information Security Overview

HIPAA Information Security Overview HIPAA Information Security Overview Security Overview HIPAA Security Regulations establish safeguards for protected health information (PHI) in electronic format. The security rules apply to PHI that is

More information

PRIVACY POLICIES AND FORMS FOR BUSINESS ASSOCIATES

PRIVACY POLICIES AND FORMS FOR BUSINESS ASSOCIATES PRIVACY POLICIES AND FORMS FOR BUSINESS ASSOCIATES TABLE OF CONTENTS A. Overview of HIPAA Compliance Program B. General Policies 1. Glossary of Defined Terms Used in HIPAA Policies and Procedures 2. Privacy

More information

HIPAA PRIVACY AND SECURITY FOR EMPLOYERS

HIPAA PRIVACY AND SECURITY FOR EMPLOYERS HIPAA PRIVACY AND SECURITY FOR EMPLOYERS Agenda Background and Enforcement HIPAA Privacy and Security Rules Breach Notification Rules HPID Number Why Does it Matter HIPAA History HIPAA Title II Administrative

More information

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security. Topics

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security. Topics HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 5. 2. Security Standards - Organizational, Security Policies Standards & Proc - A edures, dministrativ and e Documentation Safeguards

More information

HIPAA and HITECH Compliance for Cloud Applications

HIPAA and HITECH Compliance for Cloud Applications What Is HIPAA? The healthcare industry is rapidly moving towards increasing use of electronic information systems - including public and private cloud services - to provide electronic protected health

More information

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS Thank you for taking the time to fill out the privacy & security checklist. Once completed, this checklist will help us get a better

More information

SECURITY RISK ASSESSMENT SUMMARY

SECURITY RISK ASSESSMENT SUMMARY Providers Business Name: Providers Business Address: City, State, Zip Acronyms NIST FIPS PHI EPHI BA CE EHR HHS IS National Institute of Standards and Technology Federal Information Process Standards Protected

More information

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice Appendix 4-2: Administrative, Physical, and Technical Safeguards Breach Notification Rule How Use this Assessment The following sample risk assessment provides you with a series of sample questions help

More information

Healthcare Compliance Solutions

Healthcare Compliance Solutions Healthcare Compliance Solutions Let Protected Trust be your Safe Harbor In the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH), the U.S. Department of Health and Human

More information

New privacy and security requirements increase potential legal liability and jeopardize brand reputation.

New privacy and security requirements increase potential legal liability and jeopardize brand reputation. New privacy and security requirements increase potential legal liability and jeopardize brand reputation. Protect personal health information in motion, in use and at rest with HP access, authentication,

More information

Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE

Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE [ Hosting for Healthcare: Addressing the Unique Issues of Health IT & Achieving End-to-End Compliance

More information

Datto Compliance 101 1

Datto Compliance 101 1 Datto Compliance 101 1 Overview Overview This document provides a general overview of the Health Insurance Portability and Accounting Act (HIPAA) compliance requirements for Managed Service Providers (MSPs)

More information

Privacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by:

Privacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by: HIPAA Privacy Officer Orientation Presented by: Cathy Montgomery, RN Privacy Officer Job Description Serve as leader Develop Policies and Procedures Train staff Monitor activities Manage Business Associates

More information

Overview of the HIPAA Security Rule

Overview of the HIPAA Security Rule Office of the Secretary Office for Civil Rights () Overview of the HIPAA Security Rule Office for Civil Rights Region IX Alicia Cornish, EOS Sheila Fischer, Supervisory EOS Topics Upon completion of this

More information

HIPAA Security Checklist

HIPAA Security Checklist HIPAA Security Checklist The following checklist summarizes HIPAA Security Rule requirements that should be implemented by covered entities and business associates. The citations are to 45 CFR 164.300

More information

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification Type of Policy and Procedure Comments Completed Privacy Policy to Maintain and Update Notice of Privacy Practices

More information

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011 Nationwide Review of CMS s HIPAA Oversight Brian C. Johnson, CPA, CISA Wednesday, January 19, 2011 1 WHAT I DO Manage Region IV IT Audit and Advance Audit Technique Staff (AATS) IT Audit consists of 8

More information

Bridging the HIPAA/HITECH Compliance Gap

Bridging the HIPAA/HITECH Compliance Gap CyberSheath Healthcare Compliance Paper www.cybersheath.com -65 Bridging the HIPAA/HITECH Compliance Gap Security insights that help covered entities and business associates achieve compliance According

More information

RAYSAFE S1 SECURITY WHITEPAPER VERSION B. RaySafe S1 SECURITY WHITEPAPER

RAYSAFE S1 SECURITY WHITEPAPER VERSION B. RaySafe S1 SECURITY WHITEPAPER RaySafe S1 SECURITY WHITEPAPER Contents 1. INTRODUCTION 2 ARCHITECTURE OVERVIEW 2.1 Structure 3 SECURITY ASPECTS 3.1 Security Aspects for RaySafe S1 Data Collector 3.2 Security Aspects for RaySafe S1 cloud-based

More information

VMware vcloud Air HIPAA Matrix

VMware vcloud Air HIPAA Matrix goes to great lengths to ensure the security and availability of vcloud Air services. In this effort VMware has completed an independent third party examination of vcloud Air against applicable regulatory

More information

Healthcare Compliance Solutions

Healthcare Compliance Solutions Privacy Compliance Healthcare Compliance Solutions Trust and privacy are essential for building meaningful human relationships. Let Protected Trust be your Safe Harbor The U.S. Department of Health and

More information

HIPAA Compliance Guide

HIPAA Compliance Guide HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care

More information

HIPAA The Law Explained. Click here to view the HIPAA information.

HIPAA The Law Explained. Click here to view the HIPAA information. HIPAA The Law Explained Click here to view the HIPAA information. HIPAA - Provisions 5 Major Provisions/Titles Title 1 Title 2 Title 3 Title 4 Title 5 More Information on Administrative Simplification

More information

Why Lawyers? Why Now?

Why Lawyers? Why Now? TODAY S PRESENTERS Why Lawyers? Why Now? New HIPAA regulations go into effect September 23, 2013 Expands HIPAA safeguarding and breach liabilities for business associates (BAs) Lawyer is considered a business

More information

HIPAA Security Series

HIPAA Security Series 7 Security Standards: Implementation for the Small Provider What is the Security Series? The security series of papers provides guidance from the Centers for Medicare & Medicaid Services (CMS) on the rule

More information

Ensuring HIPAA Compliance with Pros 4 Technology Online Backup and Archiving Services

Ensuring HIPAA Compliance with Pros 4 Technology Online Backup and Archiving Services Ensuring HIPAA Compliance with Pros 4 Technology Online Backup and Archiving Services Introduction Patient privacy has become a major topic of concern over the past several years. With the majority of

More information

Department of Health and Human Services OFFICE OF INSPECTOR GENERAL

Department of Health and Human Services OFFICE OF INSPECTOR GENERAL Department of Health and Human Services OFFICE OF INSPECTOR GENERAL HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION SYSTEM GENERAL CONTROLS AT THREE CALIFORNIA MANAGED-CARE

More information

HIPAA Security Matrix

HIPAA Security Matrix HIPAA Matrix Hardware : 164.308(a)(1) Management Process =Required, =Addressable Risk Analysis The Covered Entity (CE) can store its Risk Analysis document encrypted and offsite using EVault managed software

More information

ITS HIPAA Security Compliance Recommendations

ITS HIPAA Security Compliance Recommendations ITS HIPAA Security Compliance Recommendations October 24, 2005 Updated May 31, 2010 http://its.uncg.edu/hipaa/security/ Table of Contents Introduction...1 Purpose of this Document...1 Important Terms...1

More information

HIPAA Security COMPLIANCE Checklist For Employers

HIPAA Security COMPLIANCE Checklist For Employers Compliance HIPAA Security COMPLIANCE Checklist For Employers All of the following steps must be completed by April 20, 2006 (April 14, 2005 for Large Health Plans) Broadly speaking, there are three major

More information

HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS

HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS Department of Health and Human Services OFFICE OF INSPECTOR GENERAL HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS AT STATE MEDICAID AGENCIES Inquiries

More information

CHIS, Inc. Privacy General Guidelines

CHIS, Inc. Privacy General Guidelines CHIS, Inc. and HIPAA CHIS, Inc. provides services to healthcare facilities and uses certain protected health information (PHI) in connection with performing these services. Therefore, CHIS, Inc. is classified

More information

787 Wye Road, Akron, Ohio 44333 P 330-666-6200 F 330-666-7801 www.keystonecorp.com

787 Wye Road, Akron, Ohio 44333 P 330-666-6200 F 330-666-7801 www.keystonecorp.com Introduction Keystone White Paper: Regulations affecting IT This document describes specific sections of current U.S. regulations applicable to IT governance and data protection and maps those requirements

More information

Security Framework Information Security Management System

Security Framework Information Security Management System NJ Department of Human Services Security Framework - Information Security Management System Building Technology Solutions that Support the Care, Protection and Empowerment of our Clients JAMES M. DAVY

More information

Security Is Everyone s Concern:

Security Is Everyone s Concern: Security Is Everyone s Concern: What a Practice Needs to Know About ephi Security Mert Gambito Hawaii HIE Compliance and Privacy Officer July 26, 2014 E Komo Mai! This session s presenter is Mert Gambito

More information

Ensuring HIPAA Compliance with Computer BYTES Online Backup and Archiving Services

Ensuring HIPAA Compliance with Computer BYTES Online Backup and Archiving Services Ensuring HIPAA Compliance with Computer BYTES Online Backup and Archiving Services Page 2 of 8 Introduction Patient privacy has become a major topic of concern over the past several years. With the majority

More information

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER With technology everywhere we look, the technical safeguards required by HIPAA are extremely important in ensuring that our information

More information

Developing HIPAA Security Compliance. Trish Lugtu CPHIMS, CHP, CHSS Health IT Consultant

Developing HIPAA Security Compliance. Trish Lugtu CPHIMS, CHP, CHSS Health IT Consultant Developing HIPAA Security Compliance Trish Lugtu CPHIMS, CHP, CHSS Health IT Consultant Learning Objectives Identify elements of a HIPAA Security compliance program Learn the HIPAA Security Rule basics

More information

The Impact of HIPAA and HITECH

The Impact of HIPAA and HITECH The Health Insurance Portability & Accountability Act (HIPAA), enacted 8/21/96, was created to protect the use, storage and transmission of patients healthcare information. This protects all forms of patients

More information

The Basics of HIPAA Privacy and Security and HITECH

The Basics of HIPAA Privacy and Security and HITECH The Basics of HIPAA Privacy and Security and HITECH Protecting Patient Privacy Disclaimer The content of this webinar is to introduce the principles associated with HIPAA and HITECH regulations and is

More information

Ensuring HIPAA Compliance with AcclaimVault Online Backup and Archiving Services

Ensuring HIPAA Compliance with AcclaimVault Online Backup and Archiving Services Ensuring HIPAA Compliance with AcclaimVault Online Backup and Archiving Services 1 Contents 3 Introduction 5 The HIPAA Security Rule 7 HIPAA Compliance & AcclaimVault Backup 8 AcclaimVault Security and

More information

What is HIPAA? The Health Insurance Portability and Accountability Act of 1996

What is HIPAA? The Health Insurance Portability and Accountability Act of 1996 What is HIPAA? The Health Insurance Portability and Accountability Act of 1996 BASIC QUESTIONS AND ANSWERS What Does HIPAA do? Creates national standards to protect individuals' medical records and other

More information

WHITE PAPER. Support for the HIPAA Security Rule RadWhere 3.0

WHITE PAPER. Support for the HIPAA Security Rule RadWhere 3.0 WHITE PAPER Support for the HIPAA Security Rule RadWhere 3.0 SUMMARY This white paper is intended to assist Nuance customers who are evaluating the security aspects of the RadWhere 3.0 system as part of

More information

An Oracle White Paper December 2010. Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance

An Oracle White Paper December 2010. Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance An Oracle White Paper December 2010 Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance Executive Overview... 1 Health Information Portability and Accountability Act Security

More information

C.T. Hellmuth & Associates, Inc.

C.T. Hellmuth & Associates, Inc. Technical Monograph C.T. Hellmuth & Associates, Inc. Technical Monographs usually are limited to only one subject which is treated in considerably more depth than is possible in our Executive Newsletter.

More information

HIPAA Compliance The Time is Now Changes on the Horizon: The Final Regulations on Privacy and Security. May 7, 2013

HIPAA Compliance The Time is Now Changes on the Horizon: The Final Regulations on Privacy and Security. May 7, 2013 HIPAA Compliance The Time is Now Changes on the Horizon: The Final Regulations on Privacy and Security May 7, 2013 Presenters James Clay President Employee Benefits & HR Consulting The Miller Group jimc@millercares.com

More information

HIPAA/HITECH: A Guide for IT Service Providers

HIPAA/HITECH: A Guide for IT Service Providers HIPAA/HITECH: A Guide for IT Service Providers Much like Arthur Dent in the opening scene of The Hitchhiker s Guide to the Galaxy (HHGTTG), you re experiencing the impact of new legislation that s infringing

More information

Policies and Compliance Guide

Policies and Compliance Guide Brooklyn Community Services Policies and Compliance Guide relating to the HIPAA Security Rule June 2013 Table of Contents INTRODUCTION... 3 GUIDE TO BCS COMPLIANCE WITH THE HIPAA SECURITY REGULATION...

More information

My Docs Online HIPAA Compliance

My Docs Online HIPAA Compliance My Docs Online HIPAA Compliance Updated 10/02/2013 Using My Docs Online in a HIPAA compliant fashion depends on following proper usage guidelines, which can vary based on a particular use, but have several

More information

White Paper. Support for the HIPAA Security Rule PowerScribe 360

White Paper. Support for the HIPAA Security Rule PowerScribe 360 White Paper Support for the HIPAA Security Rule PowerScribe 360 2 Summary This white paper is intended to assist Nuance customers who are evaluating the security aspects of the PowerScribe 360 system as

More information

HIPAA Compliance Review Analysis and Summary of Results

HIPAA Compliance Review Analysis and Summary of Results HIPAA Compliance Review Analysis and Summary of Results Centers for Medicare & Medicaid Services (CMS) Office of E-Health Standards and Services (OESS) Reviews 2008 Table of Contents Introduction 1 Risk

More information

HIPAA COMPLIANCE REVIEW

HIPAA COMPLIANCE REVIEW HIPAA COMPLIANCE REVIEW DRAGON MEDICAL V 10 CSC 3811 Turtle Creek Blvd Suite 2000 Dallas, TX 75219 Phone: 214.520.0555 TABLE OF CONTENTS 1.0 Introduction 1 2.0 Findings 1 2.1 Observations and Recommendations

More information

SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION

SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION Please Note: 1. THIS IS NOT A ONE-SIZE-FITS-ALL OR A FILL-IN-THE BLANK COMPLIANCE PROGRAM.

More information

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule HIPAA More Important Than You Realize J. Ira Bedenbaugh Consulting Shareholder February 20, 2015 This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record

More information

HIPAA Audit Processes HIPAA Audit Processes. Erik Hafkey Rainer Waedlich

HIPAA Audit Processes HIPAA Audit Processes. Erik Hafkey Rainer Waedlich HIPAA Audit Processes Erik Hafkey Rainer Waedlich 1 Policies for all HIPAA relevant Requirements and Regulations Checklist for an internal Audit Process Documentation of the compliance as Preparation for

More information

Guidance on Risk Analysis Requirements under the HIPAA Security Rule

Guidance on Risk Analysis Requirements under the HIPAA Security Rule Guidance on Risk Analysis Requirements under the HIPAA Security Rule Introduction The Office for Civil Rights (OCR) is responsible for issuing annual guidance on the provisions in the HIPAA Security Rule.

More information

An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule

An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule NIST Special Publication 800-66 An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule Joan Hash, Pauline Bowen, Arnold Johnson, Carla

More information

WHITEPAPER. Evolve your network strategy to meet new threats and achieve expanded business imperatives. Introduction... 1 The HIPAA Security Rule...

WHITEPAPER. Evolve your network strategy to meet new threats and achieve expanded business imperatives. Introduction... 1 The HIPAA Security Rule... WHITEPAPER HIPAA Requirements Addressed By Bradford s Network Sentry Family Evolve your network strategy to meet new threats and achieve expanded business imperatives Introduction.... 1 The HIPAA Security

More information

Welcome to part 2 of the HIPAA Security Administrative Safeguards presentation. This presentation covers information access management, security

Welcome to part 2 of the HIPAA Security Administrative Safeguards presentation. This presentation covers information access management, security Welcome to part 2 of the HIPAA Security Administrative Safeguards presentation. This presentation covers information access management, security awareness training, and security incident procedures. The

More information

HIPAA Security Rule Safeguards Recommended Standards Developed by: USF HIPAA Security Team May 12, 2005

HIPAA Security Rule Safeguards Recommended Standards Developed by: USF HIPAA Security Team May 12, 2005 INTRODUCTION HIPAA Security Rule Safeguards Recommended Standards Developed by: USF HIPAA Security Team May 12, 2005 The Health Insurance Portability and Accountability Act (HIPAA) Security Rule, as a

More information

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE How to Use this Assessment The following risk assessment provides you with a series of questions to help you prioritize the development and implementation

More information

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This

More information

HIPAA COMPLIANCE AND DATA PROTECTION. sales@eaglenetworks.it +39 030 201.08.25 Page 1

HIPAA COMPLIANCE AND DATA PROTECTION. sales@eaglenetworks.it +39 030 201.08.25 Page 1 HIPAA COMPLIANCE AND DATA PROTECTION sales@eaglenetworks.it +39 030 201.08.25 Page 1 CONTENTS Introduction..... 3 The HIPAA Security Rule... 4 The HIPAA Omnibus Rule... 6 HIPAA Compliance and EagleHeaps

More information

Meaningful Use and Security Risk Analysis

Meaningful Use and Security Risk Analysis Meaningful Use and Security Risk Analysis Meeting the Measure Security in Transition Executive Summary Is your organization adopting Meaningful Use, either to gain incentive payouts or to avoid penalties?

More information

New HIPAA regulations require action. Are you in compliance?

New HIPAA regulations require action. Are you in compliance? New HIPAA regulations require action. Are you in compliance? Mary Harrison, JD Tami Simon, JD May 22, 2013 Discussion topics Introduction Remembering the HIPAA Basics HIPAA Privacy Rules HIPAA Security

More information

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits HIPAA Breaches, Security Risk Analysis, and Audits Derrick Hill Senior Health IT Advisor Kentucky REC Why Does Privacy and Security Matter? Trust Who Must Comply with HIPAA Rules? Covered Entities (CE)

More information

M E M O R A N D U M. Definitions

M E M O R A N D U M. Definitions M E M O R A N D U M DATE: November 10, 2011 TO: FROM: RE: Krevolin & Horst, LLC HIPAA Obligations of Business Associates In connection with the launch of your hosted application service focused on practice

More information

2011 2012 Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec.

2011 2012 Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec. The OCR Auditors are coming - Are you next? What to Expect and How to Prepare On June 10, 2011, the U.S. Department of Health and Human Services Office for Civil Rights ( OCR ) awarded KPMG a $9.2 million

More information

Support for the HIPAA Security Rule

Support for the HIPAA Security Rule WHITE PAPER Support for the HIPAA Security Rule PowerScribe 360 Reporting v2.0 HEALTHCARE 2 SUMMARY This white paper is intended to assist Nuance customers who are evaluating the security aspects of PowerScribe

More information

The HIPAA Security Rule Primer Compliance Date: April 20, 2005

The HIPAA Security Rule Primer Compliance Date: April 20, 2005 AMERICAN PSYCHOLOGICAL ASSOCIATION PRACTICE ORGANIZATION Practice Working for You The HIPAA Security Rule Primer Compliance Date: April 20, 2005 Printer-friendly PDF 1 Contents Click on any title below

More information

Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance

Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance White Paper Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance Troy Herrera Sr. Field Solutions Manager Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA

More information

HEALTH CARE ADVISORY

HEALTH CARE ADVISORY HEALTH CARE ADVISORY March 2003 FINAL HIPAA SECURITY REGULATIONS RELEASED AT LAST On February 20, 2003, the Department of Health and Human Services (HHS) published the Final Security Rule under the Health

More information

The HIPAA Security Rule Primer A Guide For Mental Health Practitioners

The HIPAA Security Rule Primer A Guide For Mental Health Practitioners The HIPAA Security Rule Primer A Guide For Mental Health Practitioners Distributed by NASW Printer-friendly PDF 2006 APAPO 1 Contents Click on any title below to jump to that page. 1 What is HIPAA? 3 2

More information

HIPAA: In Plain English

HIPAA: In Plain English HIPAA: In Plain English Material derived from a presentation by Kris K. Hughes, Esq. Posted with permission from the author. The Health Insurance Portability and Accountability Act of 1996 (HIPAA), Pub.

More information

3/13/2015 HIPAA/HITECH WHAT S YOUR COMPLIANCE STATUS? Daniel B. Mills Pretzel & Stouffer, Chartered WHAT IS HIPAA?

3/13/2015 HIPAA/HITECH WHAT S YOUR COMPLIANCE STATUS? Daniel B. Mills Pretzel & Stouffer, Chartered WHAT IS HIPAA? HIPAA/HITECH WHAT S YOUR COMPLIANCE STATUS? Daniel B. Mills Pretzel & Stouffer, Chartered WHAT IS HIPAA? 1 DEFINITIONS HIPAA Health Insurance Portability and Accountability Act of 1996 Primarily designed

More information

HIPAA RISKS & STRATEGIES. Health Insurance Portability and Accountability Act of 1996

HIPAA RISKS & STRATEGIES. Health Insurance Portability and Accountability Act of 1996 HIPAA RISKS & STRATEGIES Health Insurance Portability and Accountability Act of 1996 REGULATORY BACKGROUND Health Information Portability and Accountability Act (HIPAA) was enacted on August 21, 1996 Title

More information

HIPAA 101. March 18, 2015 Webinar

HIPAA 101. March 18, 2015 Webinar HIPAA 101 March 18, 2015 Webinar Agenda Acronyms to Know HIPAA Basics What is HIPAA and to whom does it apply? What is protected by HIPAA? Privacy Rule Security Rule HITECH Basics Breaches and Responses

More information

HIPAA PRIVACY AND SECURITY AWARENESS

HIPAA PRIVACY AND SECURITY AWARENESS HIPAA PRIVACY AND SECURITY AWARENESS Introduction The Health Insurance Portability and Accountability Act (known as HIPAA) was enacted by Congress in 1996. HIPAA serves three main purposes: To protect

More information

HIPAA Security Education. Updated May 2016

HIPAA Security Education. Updated May 2016 HIPAA Security Education Updated May 2016 Course Objectives v This computer-based learning course covers the HIPAA, HITECH, and MSHA Privacy and Security Program which includes relevant Information Technology(IT)

More information