HIPAA ephi Security Guidance for Researchers
|
|
- Claude Shaw
- 8 years ago
- Views:
Transcription
1 What is ephi? ephi stands for Electronic Protected Health Information (PHI). It is any PHI that is stored, accessed, transmitted or received electronically. 1 PHI under HIPAA means any information that identifies an individual AND relates to at least one of the following: The individual s past, present or future physical or mental health. The provision of health care to the individual. The past, present or future payment for health care. HIPAA details 18 items that render PHI identifiable including: 1. Names; 2. All geographical subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code, if according to the current publicly available data from the Bureau of the Census: (1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000; 3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older; 4. Phone numbers; 5. Fax numbers; 6. Electronic mail addresses; 7. Social Security numbers; 8. Medical record numbers; 9. Health plan beneficiary numbers; 10. Account numbers; 11. Certificate/license numbers; 12. Vehicle identifiers and serial numbers, including license plate numbers; 13. Device identifiers and serial numbers; 14. Web Universal Resource Locators (URLs); 15. Internet Protocol (IP) address numbers; 16. Biometric identifiers, including finger and voice prints; 17. Full face photographic images and any comparable images; and 18. Any other unique identifying number, characteristic, or code Updated Jan 2016 Northwell Health Page 1 of 8
2 What regulations apply to research data containing ephi? The HIPAA Security Rule requires protection of ephi that is created, received, processed, transmitted, or maintained by a covered entity. It requires administrative, physical and technical safeguards to ensure the confidentiality, integrity and availability of ephi. The Health Information Technology for Economic and Clinical Health (HITECH) Act was intended to be used to increase the use of Electronic Health Records (EHR) by physicians and hospitals. 1 This regulation requires HIPAA covered entities (and business associates) to promptly notify affected individuals of a breach and the media when more than 500 individuals are affected. This act amended the HIPAA privacy and security rules increasing the penalties for breach of patient information up to $1.5 million. The Omnibus Final Rule that went into effect in September 2013 updated the HIPAA Privacy and Security Rules as well as HITECH Act for breach notification. This update puts the burden of proof on covered entities to prove that a breach did not occur and also emphasizes the importance of encryption, audit logs, and monitoring of system activity. What safeguards should I have in place? According to the HIPAA Security Rule, the following must be in place: Technical safeguards: the technology and the policy and procedures for its use that protect electronic protected health information and control access to it. 2 Administrative safeguards: administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity s workforce in relation to the protection of that information. 3 Physical safeguards: physical measures, policies, and procedures to protect a covered entity s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion. 4 Note: All the safeguards are required to be administered by either individual or the health system. How do I ensure HIPAA compliance for my application or database containing ephi? The PI is responsible for ensuring security of ephi used in the research study, which is usually maintained in databases (i.e. applications that manage data and allow fast storage and retrieval of that data). PIs can obtain information about secure, internally hosted systems and resources from the Research IS. PIs using a system or application containing PHI that is hosted externally (e.g. by collaborator, sponsor, 3 rd party vendor, etc.) must submit appropriate documentation of security controls from the application and hosting facility. This document provides guidance for PIs to answer the security safeguard questions listed on the HRPP application as well as the OCIO HIPAA Security and ASP Application forms. For more information and institutional requirements related to HIPAA security, please refer to Information Security and Corporate Compliance policies available on the Intranet or contact Research Information Systems at ResearchIS@nshs.edu. Updated Jan 2016 Northwell Health Page 2 of 8
3 Planning Your Study 1. What ephi should be collected for the study? 2. What should I consider when planning for collection, maintenance and management of ephi? 3. What do I need to know about collecting sensitive information, such as Social Security Numbers (SSNs) and Medicare numbers? ephi collected should contain only the individual identifiers that are minimally necessary to support the research purpose. Tip: Avoid collecting identifiers if not necessary. For example, instead of recording date of birth, you can record age (however, ages over 89 are still considered PHI). Instead of service dates, you can record length of stay. Contact the HRPP for help when you submit your study for approval. Choose the best type of database required for your data. Simple studies may only require simple spreadsheets (if no HIPAA identifiers are being collected), but more complex studies require larger databases. Databases with ephi need to meet HIPAA compliance standards. Various electronic capture systems tools are available for researchers: o HIPAA compliant SurveyMonkey & Research Electronic Data Capture (REDCap) are survey/database solutions that can be used for most research studies. See Research IS website for information and ResearchIS@nshs.edu. o Biostats Unit Database Designed for You (BUDDY) Custom databases for more complex trials contact Biostats Unit (516) Set up appropriate network shared folders to store files with limited access for research team members. ephi shared folders or PHI sharepoint can be set up for files containing ephi. Avoid storing files on local workstations or laptop desktops without proper encryption. For data analysis that will be done outside of your research team, (e.g. through Biostatistics or external vendor), ensure that you send the information in a de identified or coded manner. Budget appropriately if your research involves storage of large amounts of data or requires database development. Tip: Contact Research IS to discuss your data management or storage needs in advance of study initiation. These steps should be outlined in your protocol or standard operating procedures. Do not collect SSNs/Medicare numbers unless it is necessary for the study (such as for tax requirements). If you require collection and storage of this information ensure that you have appropriate measures in place to safeguard this information. HS policy Identity Theft Prevention Program outlines the appropriate steps to redact sensitive information. Updated Jan 2016 Northwell Health Page 3 of 8
4 4. Can I transfer ephi to an external source? 5. When is a Business Associate Agreement (BAA) necessary? (administrative safeguard) During Your Study 1. Who should have access to the database and how do I manage this? (administrative safeguard) 2. How do research personnel obtain individual usernames and passwords for the database? 3. What type of password should be used? ephi transmitted outside of the Health System must be encrypted, password protected and sent only through secure channels. Such transmission should occur only if required for the study. Contact Research IS for further assistance Subject s authorization, waiver from the IRB or other agreements must be obtained before identifiable information is shared outside your research team A BAA is required when any external individual or organization, such as a vendor providing services, will create, receive, maintain, store, use or transmit ephi. Please follow Health System policy (#800.19) and contact Procurement when you request a BAA or for further questions. BAAs may also be executed through the Grants Management Office as contracts with research sponsors are processed. Tip: See BAA guidance and map. Limit access only to authorized personnel required for the study project. For technical issues regarding authorizing different levels of access, monitoring access history, or terminating access when study personnel no longer require it, please contact the database administrator to manage access. For any research PI who is coming in or leaving the health system, please follow policy GR088 Researcher Onboarding and Exit Process for additional procedures. For research staff leaving the health system, the PI is responsible for notifying the database administrator and others as necessary (e.g. 3 rd party collaborator, sponsor, vendor) about terminating the staff s access to PHI. All individuals must use their own unique usernames and passwords to access the database. Never share log in IDs and passwords. Follow policies Computer Usage Policy and User Password. Please contact the database administrator or Research IS (researchis@nshs.edu) if you need to obtain or change a password. Strong passwords must be used and changed every 90 days. Unique usernames and passwords that meet the following standards must be at least 6 characters and new passwords must be different from the previous 12 passwords. For more details please refer to the policy User Password, and contact Research IS for further assistance. Updated Jan 2016 Northwell Health Page 4 of 8
5 4. How do I ensure research data is saved and backed up properly? (administrative safeguard) 5. What technical safeguards are needed for databases? 6. How do I transfer ephi to an external source safely? 7. How do I encrypt and secure mobile devices (e.g. laptops, tablets, removable portable hard drives, USB/thumb drives, smart phones, etc.) containing ephi? (technical safeguards) Research data should be saved and backed up on a health system shared drive/server or a secure external server. It should never be left unsecured. Contact Research IS (researchis@nshs.edu) for further assistance. Depending on the request, they may escalate it to data back up team. An automatic logoff (at least after every 15 minutes of inactivity) must be implemented. The activity logs of the database must be reviewed, recorded and examined at least quarterly and a record kept of the log review. Any abnormal conditions occurring on the network where the database is stored must be recorded and reported to OCIO Security. A disaster recovery and emergency mode operation plan must be developed. Contact researchis@nshs.edu for guidance. ephi must be transferred through a secure, encrypted method that meets Health System policies and standards (e.g secure File Transfer Platform, encrypted USB or system , etc.). Do not use unapproved cloud based storage (e.g. Google Drive/Docs, Dropbox, OneDrive, etc.) for storing PHI. The health system will soon be offering a cloud storage solution please contact Research IS for more information. To ephi, only use the health system s account and encrypt the according to policy E mail Encryption Standards by doing the following: o Adding the words secure or PHI in the subject line or clicking on the Encrypt and Send (Zixmail) button when you send an . For questions or help with encryption contact Research IS for assistance (researchis@nshs.edu). These devices must be encrypted (Follow policy Data Encryption and Integrity) Policy and open a ticket with IS if you are unsure if your device is encrypted. Ensure portable computing devices are physically secure and not damaged, and never left unattended and unlocked (e.g. if in car stored securely away from view in the trunk, but not left overnight). Do not create, store, access, transmit or receive ephi on personally owned computers, laptops or portable hard drives. Encryption software should be available on health system desktops and laptops, which will allow you to encrypt Updated Jan 2016 Northwell Health Page 5 of 8
6 8. What controls do I need to eliminate or minimize unauthorized access/viewing of PHI on workstations? (physical safeguards) 9. What other physical safeguards do I need in place to protect ephi from unauthorized access or theft? 10. How can I clean media (e.g. hard drive, disks, etc.) that has PHI? 11. How do I develop a disaster recovery plan for a simple document or file based database? (administrative safeguard) 12. How do I develop a disaster recovery plan for a more complex or custom database (e.g. MS Sql Server, Oracle)? (administrative safeguard) Closing Out Your Study 1. How do I develop a plan for final disposition of my database and/or hardware it resides on? portable media Note that all mobile devices used to access Health System network and resources must be properly encrypted Encrypted Password Protected Contact the IS Helpdesk if you require encryption or DLP software for your mobile device or any personal devices used for work. Follow policy Computer Usage and contact IS for assistance. You may use privacy screens, automatic logoff, password protected screen savers, position the monitor away from public view, cubicle walls, or place workstations in private or locked rooms, etc. Remember to log out of the database before you leave the workstation. Follow Policy Facility Access Controls Physical safeguards include having locked doors, use of access badges, surveillance cameras, alarms, security checks, sign in sheets for visitors & providing escorts, etc. Files, hard drives and devices with PHI must be stored securely. Follow Policy Device and Media Usage and contact IS. There should be a proper sanitization process for the media and written notification that the media has been cleaned appropriately. If your database has been saved on the HS server, it is covered. If not the Disaster Recovery Plan would be evaluated as part of the assessment please follow policy Disaster Planning and Operations, and contact IS if you need assistance. Ensure that you have a copy of the data and a backup plan (such as on the health system servers). Tip: Disaster Recovery SOP guidance and templates can be obtained from Research IS. Unique applications, such as custom databases require a Disaster Recovery Plan in place according to policy SOPs should also be written to detail how the DR Plan will be supported. Contact IS or CRS for guidance on how to complete this plan. Follow Policy Protected Health and Confidential Information Disposal Policy and open a ticket with IS. Prior to destroying or disposing of any storage device or removable media, ensure that the device or media does not contain ephi. See Policy Disposal Policy on proper disposal of equipment. Currently, IS provides Refresh Disposals and Non Updated Jan 2016 Northwell Health Page 6 of 8
7 2. What else should I consider before closing out my study? 3. Can I bring /remove research data containing PHI with me when I leave the health system? Other Concerns 1. How do I obtain training/education or information related to data security? 2. How can I report any concerns, questions, or incidents related to any possible PHI data loss or breach? refresh Disposals for desktops and laptops, as well as certified media destruction. Please contact the IS to place the order. Follow policy Records Retention and Destruction. Ensure you have a plan for recording, archiving, retaining, and accessing the data for a sufficient amount of time after the study is closed. Follow policy GR088 Principal Investigator Exit Process. Investigators leaving the health system who desire to remove/transfer the data generated from their research are required to obtain a Material Transfer Agreement and complete the PI exit process in accordance with health system requirements. See the Public Research Education Program (PREP) schedule for any upcoming courses. For past courses you can view them through Go to the IS homepage to view Security Safeguard news and information or the Research IS homepage. Immediately contact the ORC for research related HIPAA issues or potential breaches. Please see contact information below: Help Desk (516, 718, 631) Help Desk ISHelpDesk@nshs.edu For IS security concerns or questions: OCIO Security Phone: (516) Security2@nshs.edu For Research IS services or questions: Research Information Systems (RIS) ResearchIS@nshs.edu Phone: (516) For research related compliance or HIPAA concerns or questions: Office of Research Compliance (ORC) Phone: (516) ORC@nshs.edu For general HIPAA privacy concerns or questions: Corporate Compliance Hotline: (800) What language can I include my research protocol? The following language can be included in the research protocol to address plans to protect ephi and should be modified as appropriate: The confidentiality, integrity and availability of research data in electronic form will be ensured through appropriate security measures per the HIPAA security rule requirements. Research data will be collected, recorded, stored, managed and transferred in a secure manner and only accessed by authorized personnel for research purposes. Research data containing PHI will be securely transmitted through between and. The final data disposition / storage will be after study completion. Updated Jan 2016 Northwell Health Page 7 of 8
8 The following language can be included in the research protocol to address plans to use REDCap to collect ephi and should be modified as appropriate: The Feinstein Institute for Medical Research will be used as a central location for data processing and management. Vanderbilt University, with collaboration from a consortium of institutional partners, has developed a software toolset and workflow methodology for electronic collection and management of research and clinical trial data. REDCap servers are housed in a local data center at the Feinstein Institute for Medical Research and all web based information transmission is encrypted. REDCap was developed specifically around HIPAA Security guidelines and is recommended to Northwell Health researchers by the Research IT Security group, Research Compliance Office, and Institutional Review Board. Remember: The following are links to our policies related to HIPAA privacy and security: pliancepolices.aspx ee our SECURE IT card for more helpful tips: References: Updated Jan 2016 Northwell Health Page 8 of 8
University of Cincinnati Limited HIPAA Glossary
University of Cincinnati Limited HIPAA Glossary ephi System A system that creates accesses, transmits or receives: 1) primary source ephi, 2) ephi critical for treatment, payment or health care operations
More informationStatement of Policy. Reason for Policy
Table of Contents Statement of Policy 2 Reason for Policy 2 HIPAA Liaison 2 Individuals and Entities Affected by Policy 2 Who Should Know Policy 3 Exclusions 3 Website Address for Policy 3 Definitions
More informationHIPAA 101: Privacy and Security Basics
HIPAA 101: Privacy and Security Basics Purpose This document provides important information about Kaiser Permanente policies and state and federal laws for protecting the privacy and security of individually
More informationHIPAA COMPLIANCE. What is HIPAA?
HIPAA COMPLIANCE What is HIPAA? The Health Insurance Portability and Accountability Act (HIPAA) also known as the Privacy Rule specifies the conditions under which protected health information may be used
More informationHIPAA Compliance Guide
HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care
More informationHIPAA Information Security Overview
HIPAA Information Security Overview Security Overview HIPAA Security Regulations establish safeguards for protected health information (PHI) in electronic format. The security rules apply to PHI that is
More informationHIPAA Compliance for Students
HIPAA Compliance for Students The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 by the United States Congress. It s intent was to help people obtain health insurance benefits
More informationThe second section of the HIPAA Security Rule is related to physical safeguards. Physical safeguards are physical measures, policies and procedures
The second section of the HIPAA Security Rule is related to physical safeguards. Physical safeguards are physical measures, policies and procedures to protect and secure a covered entity s electronic information
More informationHIPAA Security Alert
Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information
More informationData Security & eirb Tips & Tricks School of Nursing Office of Research Affairs Brown Bag Series
Data Security & eirb Tips & Tricks School of Nursing Office of Research Affairs Brown Bag Series Denise Snyder, MS, RD, CSO, LDN Director, Research Management Team (RMT) Research Practices Manager, SON
More informationHIPAA Compliance Guide
HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care
More informationData Security in a Mobile, Cloud-Based World
Data Security in a Mobile, Cloud-Based World Jacob Buckley-Fortin CEO ehana What we ll cover Trends Risks Recommendations 1 Trends Mobile Has Taken Over Trend #1 2 3 450 million users worldwide Adopted
More informationHIPAA and You The Basics
HIPAA and You The Basics The Purpose of HIPAA Privacy Rules 1. Provide strong federal protections for privacy rights Ensure individual trust in the privacy and security of his or her health information
More information8/3/2015. Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice
Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice Monday, August 3, 2015 1 How to ask a question during the webinar If you dialed in to this webinar on your phone
More informationIRB, HIPAA, and Clinical Research
IRB, HIPAA, and Clinical Research A presentation by CHS Privacy and Security Offices UAB Institutional Review Board UAB Health System UAB/UABHS HIPAA Operations Team 1 Getting Started HIPAA 2 3 A Quick
More informationHIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE
HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE How to Use this Assessment The following risk assessment provides you with a series of questions to help you prioritize the development and implementation
More informationSUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This
More informationCREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy
CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy Amended as of February 12, 2010 on the authority of the HIPAA Privacy Officer for Creative Solutions in Healthcare, Inc. TABLE OF CONTENTS ARTICLE
More informationKrengel Technology HIPAA Policies and Documentation
Krengel Technology HIPAA Policies and Documentation Purpose and Scope What is Protected Health Information (PHI) and What is Not What is PHI? What is not PHI? The List of 18 Protected Health Information
More informationDatto Compliance 101 1
Datto Compliance 101 1 Overview Overview This document provides a general overview of the Health Insurance Portability and Accounting Act (HIPAA) compliance requirements for Managed Service Providers (MSPs)
More informationPREP Course #23: Privacy and IT Security for Researchers
PREP Course #23: Privacy and IT Security for Researchers Presented by: Emmelyn Kim, Office of Research Compliance & Debbie Wright, Office of Corporate Compliance CME Disclosure Statement The North Shore
More informationAppendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice
Appendix 4-2: Administrative, Physical, and Technical Safeguards Breach Notification Rule How Use this Assessment The following sample risk assessment provides you with a series of sample questions help
More informationIRB Policy for Security and Integrity of Human Research Data
IRB Policy for Security and Integrity of Human Research Data Kathleen Hay Human Subjects Protection Office Terri Shkuda Research Informatics & Computing, Information Technology Overview of Presentation
More informationHIPAA Privacy & Breach Notification Training for System Administration Business Associates
HIPAA Privacy & Breach Notification Training for System Administration Business Associates Barbara M. Holthaus privacyofficer@utsystem.edu Office of General Counsel University of Texas System April 10,
More informationData Security Considerations for Research
Data Security Considerations for Research Institutional Review Board Annual Education May 8, 2012 1 PRIVACY vs. SECURITY What s the Difference?: PRIVACY Refers to WHAT is protected Health information about
More informationHIPAA TRAINING. A training course for Shiawassee County Community Mental Health Authority Employees
HIPAA TRAINING A training course for Shiawassee County Community Mental Health Authority Employees WHAT IS HIPAA? HIPAA is an acronym that stands for Health Insurance Portability and Accountability Act.
More informationHIPAA 101. March 18, 2015 Webinar
HIPAA 101 March 18, 2015 Webinar Agenda Acronyms to Know HIPAA Basics What is HIPAA and to whom does it apply? What is protected by HIPAA? Privacy Rule Security Rule HITECH Basics Breaches and Responses
More informationData Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, 2014 2:15pm 3:30pm
Electronic Health Records: Data Security and Integrity of e-phi Worcester, MA Wednesday, 2:15pm 3:30pm Agenda Introduction Learning Objectives Overview of HIPAA HIPAA: Privacy and Security HIPAA: The Security
More informationHow To Write A Health Care Security Rule For A University
INTRODUCTION HIPAA Security Rule Safeguards Recommended Standards Developed by: USF HIPAA Security Team May 12, 2005 The Health Insurance Portability and Accountability Act (HIPAA) Security Rule, as a
More informationHIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant
1 HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant Introduction U.S. healthcare laws intended to protect patient information (Protected Health Information or PHI) and the myriad
More information2014 Core Training 1
2014 Core Training 1 Course Agenda Review of Key Privacy Laws/Regulations: Federal HIPAA/HITECH regulations State privacy laws Privacy & Security Policies & Procedures Huntsville Hospital Health System
More informationLA BioMed Secure Email
INFORMATION SYSTEMS LA BioMed Secure Email Los Angeles Biomedical Research Institute at Harbor-UCLA 1124 W Carson St Bldg E2.5 Phone 310.222.1212 Table of Contents Intended Audience... 1 Purpose... 1 When
More informationHIPAA Security. assistance with implementation of the. security standards. This series aims to
HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical
More informationWhat is Covered by HIPAA at VCU?
What is Covered by HIPAA at VCU? The Privacy Rule was designed to protect private health information from incidental disclosures. The regulations specifically apply to health care providers, health plans,
More informationHIPAA Security Series
7 Security Standards: Implementation for the Small Provider What is the Security Series? The security series of papers provides guidance from the Centers for Medicare & Medicaid Services (CMS) on the rule
More informationHIPAA Policy, Protection, and Pitfalls ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS
HIPAA Policy, Protection, and Pitfalls Overview HIPAA Privacy Basics What s covered by HIPAA privacy rules, and what isn t? Interlude on the Hands-Off Group Health Plan When does this exception apply,
More informationHIPAA Privacy and Security Rules: A Refresher. Marilyn Freeman, RHIA California Area HIPAA Coordinator California Area HIM Consultant
HIPAA Privacy and Security Rules: A Refresher Marilyn Freeman, RHIA California Area HIPAA Coordinator California Area HIM Consultant Objectives Provide overview of Health insurance Portability and Accountability
More informationThe Basics of HIPAA Privacy and Security and HITECH
The Basics of HIPAA Privacy and Security and HITECH Protecting Patient Privacy Disclaimer The content of this webinar is to introduce the principles associated with HIPAA and HITECH regulations and is
More informationHIPAA Security Education. Updated May 2016
HIPAA Security Education Updated May 2016 Course Objectives v This computer-based learning course covers the HIPAA, HITECH, and MSHA Privacy and Security Program which includes relevant Information Technology(IT)
More informationHealth Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)
Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Table of Contents Introduction... 1 1. Administrative Safeguards...
More informationInformation Security and Privacy. WHAT is to be done? HOW is it to be done? WHY is it done?
Information Security and Privacy WHAT is to be done? HOW is it to be done? WHY is it done? 1 WHAT is to be done? O Be in compliance of Federal/State Laws O Federal: O HIPAA O HITECH O State: O WIC 4514
More informationOCR/HHS HIPAA/HITECH Audit Preparation
OCR/HHS HIPAA/HITECH Audit Preparation 1 Who are we EHR 2.0 Mission: To assist healthcare organizations develop and implement practices to secure IT systems and comply with HIPAA/HITECH regulations. Education
More informationTriageLogic Information Security Policy
TriageLogic Information Security Policy What is HIPAA, and what information is protected by it? HIPAA, short for the United States Health Insurance Portability and Accountability Act, is a set of standards
More informationHIPAA-P06 Use and Disclosure of De-identified Data and Limited Data Sets
HIPAA-P06 Use and Disclosure of De-identified Data and Limited Data Sets FULL POLICY CONTENTS Scope Policy Statement Reason for Policy Definitions ADDITIONAL DETAILS Web Address Forms Related Information
More informationHIPAA-Compliant Research Access to PHI
HIPAA-Compliant Research Access to PHI HIPAA permits the access, disclosure and use of PHI from a HIPAA Covered Entity s or HIPAA Covered Unit s treatment, payment or health care operations records for
More informationHealthcare Compliance Solutions
Privacy Compliance Healthcare Compliance Solutions Trust and privacy are essential for building meaningful human relationships. Let Protected Trust be your Safe Harbor The U.S. Department of Health and
More informationHIPAA Training for Hospice Staff and Volunteers
HIPAA Training for Hospice Staff and Volunteers Hospice Education Network Objectives Explain the purpose of the HIPAA privacy and security regulations Name three patient privacy rights Discuss what you
More informationHIPAA Training for Staff and Volunteers
HIPAA Training for Staff and Volunteers Objectives Explain the purpose of the HIPAA privacy, security and breach notification regulations Name three patient privacy rights Discuss what you can do to help
More informationHow to De-identify Data. Xulei Shirley Liu Department of Biostatistics Vanderbilt University 03/07/2008
How to De-identify Data Xulei Shirley Liu Department of Biostatistics Vanderbilt University 03/07/2008 1 Outline The problem Brief history The solutions Examples with SAS and R code 2 Background The adoption
More informationHIPAA-G04 Limited Data Set and Data Use Agreement Guidance
HIPAA-G04 Limited Data Set and Data Use Agreement Guidance GUIDANCE CONTENTS Scope Reason for the Guidance Guidance Statement Definitions ADDITIONAL DETAILS Additional Contacts Web Address Forms Related
More informationUnderstanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions
Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions Table of Contents Understanding HIPAA Privacy and Security... 1 What
More informationData Security Basics: Helping You Protect You
Data Security Basics: Helping You Protect You Why the Focus on Data Security? Because ignoring it can get you: Fined Fired Criminally Prosecuted It can also impact your ability to get future funding, and
More informationBUSINESS ASSOCIATE AGREEMENT HIPAA Protected Health Information
BUSINESS ASSOCIATE AGREEMENT HIPAA Protected Health Information I. PREAMBLE ( Covered Entity ) and ( Business Associate ) (jointly the Parties ) wish to enter into an Agreement to comply with the requirements
More informationHealth Insurance Portability & Accountability Act (HIPAA) Compliance Application
Health Insurance Portability & Accountability Act (HIPAA) Compliance Application IRB Office 101 - Altru Psychiatry Center 860 S. Columbia Rd, Grand Forks, North Dakota 58201 Phone: (701) 780-6161 PROJECT
More informationEverett School Employee Benefit Trust. Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law
Everett School Employee Benefit Trust Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law Introduction The Everett School Employee Benefit Trust ( Trust ) adopts this policy
More informationPolicies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification
Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification Type of Policy and Procedure Comments Completed Privacy Policy to Maintain and Update Notice of Privacy Practices
More informationHeather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com
Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com HIPAA Privacy Rule Sets standards for confidentiality and privacy of individually
More informationSECURITY RISK ASSESSMENT SUMMARY
Providers Business Name: Providers Business Address: City, State, Zip Acronyms NIST FIPS PHI EPHI BA CE EHR HHS IS National Institute of Standards and Technology Federal Information Process Standards Protected
More informationWHITEPAPER XMEDIUSFAX CLOUD FOR HEALTHCARE AND HIPAA COMPLIANCE
WHITEPAPER XMEDIUSFAX CLOUD FOR HEALTHCARE AND HIPAA COMPLIANCE INTRODUCTION The healthcare industry is driven by many specialized documents. Each day, volumes of critical information are sent to and from
More informationHIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS
HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS Thank you for taking the time to fill out the privacy & security checklist. Once completed, this checklist will help us get a better
More informationVMware vcloud Air HIPAA Matrix
goes to great lengths to ensure the security and availability of vcloud Air services. In this effort VMware has completed an independent third party examination of vcloud Air against applicable regulatory
More informationCHIS, Inc. Privacy General Guidelines
CHIS, Inc. and HIPAA CHIS, Inc. provides services to healthcare facilities and uses certain protected health information (PHI) in connection with performing these services. Therefore, CHIS, Inc. is classified
More informationC.T. Hellmuth & Associates, Inc.
Technical Monograph C.T. Hellmuth & Associates, Inc. Technical Monographs usually are limited to only one subject which is treated in considerably more depth than is possible in our Executive Newsletter.
More informationUnderstanding HIPAA Regulations and How They Impact Your Organization!
Understanding HIPAA Regulations and How They Impact Your Organization! Presented by: HealthInfoNet & Systems Engineering! April 25 th 2013! Introductions! Todd Rogow Director of IT HealthInfoNet Adam Victor
More informationHIPAA OVERVIEW ETSU 1
HIPAA OVERVIEW ETSU 1 What is HIPAA? Health Insurance Portability and Accountability Act. 2 PURPOSE - TITLE II ADMINISTRATIVE SIMPLIFICATION To increase the efficiency and effectiveness of the entire health
More informationHIPAA Privacy & Security Health Insurance Portability and Accountability Act
HIPAA Privacy & Security Health Insurance Portability and Accountability Act ASSOCIATE EDUCATION St. Elizabeth Medical Center Origin and Purpose of HIPAA In 2003, Congress enacted new rules that would
More informationHIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics
HIPAA Security S E R I E S Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical
More informationPatient Privacy and HIPAA/HITECH
Patient Privacy and HIPAA/HITECH What is HIPAA? Health Insurance Portability and Accountability Act of 1996 Implemented in 2003 Title II Administrative Simplification It s a federal law HIPAA is mandatory,
More informationPresented by Jack Kolk President ACR 2 Solutions, Inc.
HIPAA 102 : What you don t know about the new changes in the law can hurt you! Presented by Jack Kolk President ACR 2 Solutions, Inc. Todays Agenda: 1) Jack Kolk, CEO of ACR 2 Solutions a information security
More informationUPMC POLICY AND PROCEDURE MANUAL
UPMC POLICY AND PROCEDURE MANUAL POLICY: INDEX TITLE: HS-EC1807 Ethics & Compliance SUBJECT: Honest Broker Certification Process Related to the De-identification of Health Information for Research and
More informationINITIAL APPROVAL DATE INITIAL EFFECTIVE DATE
TITLE AND INFORMATION TECHNOLOGY RESOURCES DOCUMENT # 1107 APPROVAL LEVEL Alberta Health Services Executive Committee SPONSOR Legal & Privacy / Information Technology CATEGORY Information and Technology
More informationBEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050
BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050 Adopting Multnomah County HIPAA Security Policies and Directing the Appointment of Information System Security
More informationHIPAA 100 Training Manual Table of Contents. V. A Word About Business Associate Agreements 10
HIPAA 100 Training Manual Table of Contents I. Introduction 1 II. Definitions 2 III. Privacy Rule 5 IV. Security Rule 8 V. A Word About Business Associate Agreements 10 CHICAGO DEPARTMENT OF PUBIC HEALTH
More informationHuman Subject Research: HIPAA Privacy and Security. Human Research Academy 101
Human Subject Research: HIPAA Privacy and Security Human Research Academy 101 Your Enterprise Privacy Officer Christine Adams, CHC, CHPC Enterprise Privacy Officer Compliance & Enterprise Risk Management
More informationCan Your Diocese Afford to Fail a HIPAA Audit?
Can Your Diocese Afford to Fail a HIPAA Audit? PETULA WORKMAN & PHIL BUSHNELL MAY 2016 2016 ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS Agenda Overview Privacy Security Breach Notification Miscellaneous
More informationDonna S. Sheperis, PhD, LPC, NCC, CCMHC, ACS Sue Sadik, PhD, LPC, NCC, BC-HSP Carl Sheperis, PhD, LPC, NCC, MAC, ACS
Donna S. Sheperis, PhD, LPC, NCC, CCMHC, ACS Sue Sadik, PhD, LPC, NCC, BC-HSP Carl Sheperis, PhD, LPC, NCC, MAC, ACS 1 DISCLAIMER Please review your own documentation with your attorney. This information
More informationClinician s Guide to HIPAA Privacy. I. Introduction What is HIPAA? Health Information Privacy Protected Health Information
Clinician s Guide to HIPAA Privacy I. Introduction What is HIPAA? Health Information Privacy Protected Health Information II. HIPAA s Impact On Clinical Practice, Treatment, Referrals And Payment How is
More informationDistrict of Columbia Health Information Exchange Policy and Procedure Manual
District of Columbia Health Information Exchange Policy and Procedure Manual HIPAA Privacy & Direct Privacy Policies (Version 1 November 27, 2012) Table of Contents Policy # Policy/Procedure Description
More informationHealthcare Compliance Solutions
Healthcare Compliance Solutions Let Protected Trust be your Safe Harbor In the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH), the U.S. Department of Health and Human
More informationHIPAA PRIVACY AND SECURITY AWARENESS. Covering Kids and Families of Indiana April 10, 2014
HIPAA PRIVACY AND SECURITY AWARENESS Covering Kids and Families of Indiana April 10, 2014 GOALS AND OBJECTIVES The goal is to provide information to you to promote personal responsibility and behaviors
More informationHIPAA Privacy & Security White Paper
HIPAA Privacy & Security White Paper Sabrina Patel, JD +1.718.683.6577 sabrina@captureproof.com Compliance TABLE OF CONTENTS Overview 2 Security Frameworks & Standards 3 Key Security & Privacy Elements
More informationMy Docs Online HIPAA Compliance
My Docs Online HIPAA Compliance Updated 10/02/2013 Using My Docs Online in a HIPAA compliant fashion depends on following proper usage guidelines, which can vary based on a particular use, but have several
More informationTelemedicine HIPAA/HITECH Privacy and Security
Telemedicine HIPAA/HITECH Privacy and Security 1 Access Control Role Based Access The organization shall provide secure rolebased account management. Privileges granted utilizing the principle of least
More informationInformation Security and Privacy. WHAT are the Guidelines? HOW is it to be done? WHY is it done?
Information Security and Privacy WHAT are the Guidelines? HOW is it to be done? WHY is it done? 1 WHAT are the guidelines O Be in compliance of Federal/State Laws O Federal: O HIPAA - 1996 O HITECH - 2009
More informationthe American Recovery and Reinvestment Act of 2009
Policy Title: Policy Number: HIPAA Information 9.1.10 Security Category: Effective Date: Policy Owner: Information 10/01/2013 Sr. VP Academic Affairs Technology Prior Effective Date: & Provost N/A Sr.
More informationHIPAA HANDBOOK. Keeping your backup HIPAA-compliant
The federal Health Insurance Portability and Accountability Act (HIPAA) spells out strict regulations for protecting health information. HIPAA is expansive and can be a challenge to navigate. Use this
More informationHIPAA COMPLIANCE INFORMATION. HIPAA Policy
HIPAA COMPLIANCE INFORMATION HIPAA Policy Use of Protected Health Information for Research Policy University of North Texas Health Science Center at Fort Worth Applicability: All University of North Texas
More informationTechnical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and
Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and procedures to govern who has access to electronic protected
More informationHIPAA RISK ASSESSMENT
HIPAA RISK ASSESSMENT PRACTICE INFORMATION (FILL OUT ONE OF THESE FORMS FOR EACH LOCATION) Practice Name: Address: City, State, Zip: Phone: E-mail: We anticipate that your Meaningful Use training and implementation
More informationARTICLE 14 INFORMATION PRIVACY AND SECURITY PROVISIONS
A. This Article is intended to protect the privacy and security of specified County information that Contractor may receive, access, or transmit, under this Agreement. The County information covered under
More informationHIPAA and the HITECH Act Privacy and Security of Health Information in 2009
HIPAA and the HITECH Act Privacy and Security of Health Information in 2009 What is HIPAA? Health Insurance Portability & Accountability Act of 1996 Effective April 13, 2003 Federal Law HIPAA Purpose:
More informationSection 5 Identify Theft Red Flags and Address Discrepancy Procedures Index
Index Section 5.1 Purpose.... 2 Section 5.2 Definitions........2 Section 5.3 Validation Information.....2 Section 5.4 Procedures for Opening New Accounts....3 Section 5.5 Procedures for Existing Accounts...
More informationProcedure Title: TennDent HIPAA Security Awareness and Training
Procedure Title: TennDent HIPAA Security Awareness and Training Number: TD-QMP-P-7011 Subject: Security Awareness and Training Primary Department: TennDent Effective Date of Procedure: 9/23/2011 Secondary
More informationWhat s New with HIPAA? Policy and Enforcement Update
What s New with HIPAA? Policy and Enforcement Update HHS Office for Civil Rights New Initiatives Precision Medicine Initiative (PMI), including Access Guidance Cybersecurity Developer portal NICS Final
More informationHIPAA Privacy and Security
HIPAA Privacy and Security Course ID: 1020 - Credit Hours: 2 Author(s) Kevin Arnold, RN, BSN Accreditation KLA Education Services LLC is accredited by the State of California Board of Registered Nursing,
More informationHIPAA Privacy & Security Training for Clinicians
HIPAA Privacy & Security Training for Clinicians Agenda This training will cover the following information: Overview of Privacy Rule and Security Rules Using and disclosing Protected Health Information
More informationLessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd
Lessons Learned from Recent HIPAA and Big Data Breaches Briar Andresen Katie Ilten Ann Ladd Recent health care breaches Breach reports to OCR as of February 2015 1,144 breaches involving 500 or more individual
More informationPlease Read. Apgar & Associates, LLC apgarandassoc.com P. O. Box 80278 Portland, OR 97280 503-384-2538 877-376-1981 503-384-2539 Fax
Please Read This business associate audit questionnaire is part of Apgar & Associates, LLC s healthcare compliance resources, Copyright 2014. This questionnaire should be viewed as a tool to aid in evaluating
More informationWhat Every Organization Needs to Know about Basic HIPAA Compliance and Technology. April 21, 2015
What Every Organization Needs to Know about Basic HIPAA Compliance and Technology April 21, 2015 Who are these handsome fellas? Jamie Wolbeck (VP Of Operations) jamiew@sccnet.com Ron Shelby (Sr. Account
More information