CIBHS Small Counties HIPAA Training; HIPAA for Executive Leadership and HIPAA Compliance for IT
|
|
- Isaac Little
- 8 years ago
- Views:
Transcription
1 CIBHS Small Counties HIPAA Training; HIPAA for Executive Leadership and HIPAA Compliance for IT Class Date: January 29, 2016 Webinar Questions/Follow-Up Answers Question Please expand on the Treatment portion of TPO Is there a resource to use to help develop policies, procedures and plans? Do BA s need to create separate trainings? Should the training be the same for the County and the BA s? For those not in the presentation, how can we get the PowerPoints? I m very interested in commonly-used methods (similar to your example of Citrix ShareFile). Can you please have others explain what they are using for secure data repository/file sharing? Include in follow up documents if needed. If only a fax number is shared, is it a breach? Is there a difference Answer From HHS.gov: Treatment generally means the provision, coordination, or management of health care related services among health care providers or by a health care provider with a third party, consultation between health care providers regarding a patient, or the referral of a patient from one health care provider to another. Yes, the resource you might select to help you complete your Security Risk Analysis (SRA) should help with your Policies, Procedures and plans. See below for a list of some possible vendors that could help. Yes, BA s are responsible to meet the 45 CFR regulations that pertain to training. It is OK if the county wants to include the BA s in their trainings for compliance. Trainings do not need to be the same, but a BAs training must include the requisite content relevant to HIPAA. The PowerPoints will be posted on the CIBHS website early the week of 2/1 Citrix ShareFile is a web-based, secured large file sharing and storage system. San Joaquin uses Box Enterprise for secure file sharing, Sophos and Checkpoint for endpoint encryption. Someone posted they use PGP As we discussed in class, a fax number on its own is considered PHI. If the fax number shared in a public environment where someone not involved with the treatment of the patient could obtain it, that would be a breach, and an investigation would be needed and all of the facts would be reviewed. If the fax number was shared in the office and no other info was included, the possibility of exposure would be very low. All possibly breaches require the privacy investigation to make sure all of the details are uncovered. Yes, there is a difference between the number and documents. See above answer 1
2 between Fax Number and Fax Documents in terms of PHI and breach? If in the hallway, I only talk about a fax number, is that a breach of PHI. On the exams, is the results screen the last screen? Is there a description of the Security Roles somewhere? regarding the breach investigation. Yes, the results slide is the last one on both exams. Close out using the X in the upper right corner and return to your Dashboard. Yes, below are the Security Role responsibilities from the Xpio/HHE policy for your review: Security Compliance Officer (SCO) will be responsible for developing and implementing the security policies and procedures for the organization. The SCO will be responsible for establishing and maintaining an official repository of all security documentation including policies, procedures, plans, inventory, staff assignments, implementation data, test results and data required by regulation. Privacy Officer is responsible for ensuring the organization s compliance with the HIPAA privacy rule and other applicable privacy regulations. The Privacy Officer works in collaboration with Legal to ensure that the policies and procedures of the organization meet both privacy and security requirements. The Privacy Officer: 1. Ensures the accuracy of the PHI and ephi inventory. 2. Works with the Security Compliance Officer to create and implement the Incident Response Plan. 3. Reviews all plans, policies and procedures. 4. Works with the Security Compliance Officer to develop any organization privacy awareness training and announcements. 5. Has responsibility for reporting privacy breaches and responding to official and public requests for information pursuant to the HIPAA Privacy Rule. 6. Coordinates any customer and business partner privacy awareness initiatives. To assist where security or privacy implementation falls across functional areas, the following roles are defined and can be assigned to others as necessary: Workforce Security Manager has overall responsibility for workforce security and training. Duties include: 1. Background checks. 2. Security and access roles assignment. 3. Security training. 4. Sanctions process. IT Security Manager has overall responsibility for implementing and operating technical IT security. Duties include: 1. Acquiring and maintaining the security technology. 2. Creating an inventory of all IT equipment and applications. 3. Creating an inventory of PHI and other sensitive data. 4. Application and infrastructure change/configuration control. 2
3 5. Managing the security of IT access accounts. 6. Backup and recovery. Incident/Breach Manager is responsible for creating and implementing the security incident / privacy breach response plan. This includes: 1. Preparing for incidents and breaches by creating an incident response plan. 2. Working with all other managers and staff to quickly move through the containment, eradication and recovery phases of security incidents. 3. Coordinating with legal counsel to meet privacy breach reporting requirements and execute breach communications. Physical Security Manager is responsible for ensuring that the facility is secured from unauthorized access to restricted areas, devices, files and sensitive information 24/7/365. This includes: 1. Preparing the physical security plan and contingency plan. 2. Responsibility for the physical placement of devices to prevent unauthorized viewing, tampering or theft while in operation and securing networking infrastructure unauthorized access. 3. Maintaining records maintenance on all physical security infrastructure including locks and any surveillance equipment. 4. Maintaining documentation of all keys and the persons to whom they have been entrusted. I did the Executive Exam this morning and it still doesn t show the course and exam with green checkmarks plus I can t find my certificate. Is there a different call in for the afternoon? How would you define a small provider? So far, none of the links on the agenda have worked If we passed the test, how do we get the certificate? I m not seeing the print certificate and the course status says in progress. Discussion about what to share with Return to your dashboard and open up the Exec Leadership class. You will see both the course and the exam. Your exam should have the green check mark. Open the exam and the Certificate link is now located under the exam name. No, it was the same The term was used in explaining that all Covered Entities, regardless of their size, needs to meet the HIPAA regulations. In class, we defined a small size as a single provider office, a small practice with several licensed clinicians. Select the CTRL key when you click on the link. You can copy the links out and paste into your browser if they are not working from the document. Return to your dashboard and open up the Exec Leadership class. You will see both the course and the exam. Your exam should have the green check mark. Open the exam and the Certificate link is now located under the exam name. Return to your dashboard and open up the Exec Leadership class. You will see both the course and the exam. Your exam should have the green check mark. Open the exam and the Certificate link is now located under the exam name. We only share the diagnosis if it might pose a risk to the officer (or client), otherwise we don t share. We consider Officer safety paramount. We make the assumption the 3
4 Police who respond to assist with a client in an emergency Will you send out the training and the other documents for reference? Will the recorded session be available for listening again? Do you have a sample of the Risk Assessment Questions available to share, or where can we review a sample? Can anyone recommend any encryption software? Has anyone heard about the new DMH regulations in regards to having to encrypt all data at a Department of Defense level? Any enterprise solution software vendor recommendations? Are there any recommendations to encrypt mobile devices? Is it enough to know that my ephi is located on specific share drives and MY Documents folders on the servers? We don t allow storing ephi on a local hard drive. I don t know every Excel spreadsheet, but I am certain they client doesn t want to be harmed. Yes, all will be posted on the CIBHS website early in the week of 2/1 Yes, the recorded sessions will be posted on the CIBHS website early in the week of 2/1 CMS has just published a tool for agencies to use to complete their own SRA. Checkpoint, EndPoint Security, BitLocker (make sure you turn off the ability for the users to turn off BitLocker). Shasta County uses BitLocker. Ernie Ruoff, Information Protection Unit, responded and reported he was not aware of any new encryption regulations. DMH is now under DHCS and they report no new regs either. The DOD security is FIPS 140 and equivalent to AES 256, and that is the recommended level of encryption at this time. Mimecast for encrypted s is one solution in the county community. One tool used in the CiBHS community is MaaS 360, Cost is $8/device/month but many nice features. You will be asked to complete a PHI inventory where you document all of the software used that includes PHI, the locations and the devices (servers, desktops and mobile) that may contain ephi. It is great that you only allow saving of ephi to a shared, secure drive. That will be included in your documentation as proof you have control. I would say the next step is to make sure your servers are encrypted. It will be part of your PHI inventory to make sure you have them all documented. 4
5 are protected on the Share Drive Would anyone be willing to share their SRA questions that were used and the format or the analysis? What are the actual physical requirements for data media transfer; back up tapes, etc? No participant shared any data, refer to the CMS site for their questions/format: The standard is that it be inaccessible except to authorized personnel (for the purpose of operations, in this case). If when the transport company accepts that PHI, it is encrypted or locked up with appropriate documented custody, then physical transportation is no different than encrypted electronic transport. That means that the transport company is not a business associate. On the other hand, if you hand them a bunch of papers or drives and it is up to them to keep it safe without adequate safeguards to ensure privacy from the transportation personnel (think of them as a medium), then they would be a BA. Below is from an Audit document about what the auditor will be asking about device and media control/back up data. Address the policies and procedures related to protecting back up data as well as reducing risks (d)(1): Develop Inquire of Addressable Security Device and Data management Media Controls - Backup as to the (d)(2)(iv) and procedures Create a Storage established retrievable exact Procedures over the copy of ephi, backup and when needed, restoration of before movement ephi data. of equipment. Obtain and review formal or informal policies and procedures and evaluate the content relative to the specified criteria to determine whether procedures cover the 5
6 backup and restoration of ephi data. Obtain and review formal or informal documentation and evaluate the content to identify where ephi data are stored. If data is stored onsite, observe the facility to determine if the location is secure and protected from the elements, e.g., the location is equipped with a fire suppression system, a fireproof safe, etc. If data is stored off-site, obtain and review documentation and evaluate the content relative to the criteria specified to determine if the data is stored in a secure 6
7 location, e.g., a contract with a service provider such as Iron Mountain, a SSAE16 report over the controls in place if the service is a third-party provider, etc. If the off-site location is run by the entity, observations similar to the ones listed above may need to be performed. For a selection of days, obtain and review evidence that backups over ephi data were performed successfully. Obtain and review formal or informal policies and procedures and evaluate the content relative to the specified criteria to determine how 7
8 Is the lockbox required? Can we get a sample of the BAA Subagreement? How can we critique the class? Please post a 42 CFR Part 2 consent sample Post some SRA vendor options often restoration tests are to be completed. If the covered entity has chosen not to fully implement this specification, the entity must have documentation on where they have chosen not to fully implement this specification and their rationale for doing so. Evaluate this documentation if applicable. As noted above, I see no mention of a lockbox being required, but you should determine what is the most secure way to transfer your tapes/hard drives off to a redundant site or secure storage. Reduce risks. The language of the agreement is basically the same, except it is between a BAA and a sub-contractor. THIS HIPAA BUSINESS ASSOCIATE AGREEMENT (the "Agreement") is entered into effective [date] (the Effective Date ), by and between [Business Associate] ("Business Associate") and [Subcontractor] ( Subcontractor ). Evaluations were sent out to all on the webinar and in class. If you need one, please contact Kelly Bitz at kbitz@cibhs.org Several good 42 CFR Part 2 form samples here: A list of several vendors that can complete SRA s is noted below. Xpio Health is recommended, the others are additional resources that have not been contacted or are recommended by Xpio at this time. 1. Xpio Health, LLC 2. HIPAA One 8
9 What is a good tool to build survey s or to engage clinical staff? 3. ClearDATA 4. Sunera 5. Clearwater Compliance, LLC Kahoot! 9
HIPAA Security. assistance with implementation of the. security standards. This series aims to
HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical
More informationDatto Compliance 101 1
Datto Compliance 101 1 Overview Overview This document provides a general overview of the Health Insurance Portability and Accounting Act (HIPAA) compliance requirements for Managed Service Providers (MSPs)
More informationHIPAA RISK ASSESSMENT
HIPAA RISK ASSESSMENT PRACTICE INFORMATION (FILL OUT ONE OF THESE FORMS FOR EACH LOCATION) Practice Name: Address: City, State, Zip: Phone: E-mail: We anticipate that your Meaningful Use training and implementation
More informationPlease Read. Apgar & Associates, LLC apgarandassoc.com P. O. Box 80278 Portland, OR 97280 503-384-2538 877-376-1981 503-384-2539 Fax
Please Read This business associate audit questionnaire is part of Apgar & Associates, LLC s healthcare compliance resources, Copyright 2014. This questionnaire should be viewed as a tool to aid in evaluating
More informationSECURITY RISK ASSESSMENT SUMMARY
Providers Business Name: Providers Business Address: City, State, Zip Acronyms NIST FIPS PHI EPHI BA CE EHR HHS IS National Institute of Standards and Technology Federal Information Process Standards Protected
More informationHIPAA Security Alert
Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information
More informationWHITE PAPER. HIPPA Compliance and Secure Online Data Backup and Disaster Recovery
WHITE PAPER HIPPA Compliance and Secure Online Data Backup and Disaster Recovery January 2006 HIPAA Compliance and the IT Portfolio Online Backup Service Introduction October 2004 In 1996, Congress passed
More informationHIPAA Compliance Guide
HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care
More informationHIPAA Compliance Guide
HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care
More informationHealthcare Compliance Solutions
Healthcare Compliance Solutions Let Protected Trust be your Safe Harbor In the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH), the U.S. Department of Health and Human
More informationHIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS
HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS Thank you for taking the time to fill out the privacy & security checklist. Once completed, this checklist will help us get a better
More informationHIPAA COMPLIANCE AND DATA PROTECTION. sales@eaglenetworks.it +39 030 201.08.25 Page 1
HIPAA COMPLIANCE AND DATA PROTECTION sales@eaglenetworks.it +39 030 201.08.25 Page 1 CONTENTS Introduction..... 3 The HIPAA Security Rule... 4 The HIPAA Omnibus Rule... 6 HIPAA Compliance and EagleHeaps
More informationHIPAA Privacy & Breach Notification Training for System Administration Business Associates
HIPAA Privacy & Breach Notification Training for System Administration Business Associates Barbara M. Holthaus privacyofficer@utsystem.edu Office of General Counsel University of Texas System April 10,
More informationHIPAA Security Series
7 Security Standards: Implementation for the Small Provider What is the Security Series? The security series of papers provides guidance from the Centers for Medicare & Medicaid Services (CMS) on the rule
More informationEnsuring HIPAA Compliance with Pros 4 Technology Online Backup and Archiving Services
Ensuring HIPAA Compliance with Pros 4 Technology Online Backup and Archiving Services Introduction Patient privacy has become a major topic of concern over the past several years. With the majority of
More informationPolicies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification
Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification Type of Policy and Procedure Comments Completed Privacy Policy to Maintain and Update Notice of Privacy Practices
More informationBusiness Associate Management Methodology
Methodology auxilioinc.com 844.874.0684 Table of Contents Methodology Overview 3 Use Case 1: Upstream of s I manage business associates 4 System 5 Use Case 2: Eco System of s I manage business associates
More informationEnsuring HIPAA Compliance with Computer BYTES Online Backup and Archiving Services
Ensuring HIPAA Compliance with Computer BYTES Online Backup and Archiving Services Page 2 of 8 Introduction Patient privacy has become a major topic of concern over the past several years. With the majority
More informationHealthcare Compliance Solutions
Privacy Compliance Healthcare Compliance Solutions Trust and privacy are essential for building meaningful human relationships. Let Protected Trust be your Safe Harbor The U.S. Department of Health and
More informationProtecting Patient Information in an Electronic Environment- New HIPAA Requirements
Protecting Patient Information in an Electronic Environment- New HIPAA Requirements SD Dental Association Holly Arends, RHIT Clinical Program Manager Meet the Speaker TRUST OBJECTIVES Overview of HIPAA
More informationEnsuring HIPAA Compliance with eztechdirect Online Backup and Archiving Services
Ensuring HIPAA Compliance with eztechdirect Online Backup and Archiving Services Introduction Patient privacy continues to be a chief topic of concern as technology continues to evolve. Now that the majority
More informationHIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE
HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE How to Use this Assessment The following risk assessment provides you with a series of questions to help you prioritize the development and implementation
More informationHIPAA SECURITY RULES FOR IT: WHAT ARE THEY?
HIPAA SECURITY RULES FOR IT: WHAT ARE THEY? HIPAA is a huge piece of legislation. Only a small portion of it applies to IT providers in healthcare; mostly the Security Rule. The HIPAA Security Rule outlines
More informationEnsuring HIPAA Compliance with AcclaimVault Online Backup and Archiving Services
Ensuring HIPAA Compliance with AcclaimVault Online Backup and Archiving Services 1 Contents 3 Introduction 5 The HIPAA Security Rule 7 HIPAA Compliance & AcclaimVault Backup 8 AcclaimVault Security and
More informationHIPAA BUSINESS ASSOCIATE AGREEMENT
HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( BAA ) is effective ( Effective Date ) by and between ( Covered Entity ) and Egnyte, Inc. ( Egnyte or Business Associate ). RECITALS
More informationHIPAA Information Security Overview
HIPAA Information Security Overview Security Overview HIPAA Security Regulations establish safeguards for protected health information (PHI) in electronic format. The security rules apply to PHI that is
More informationVMware vcloud Air HIPAA Matrix
goes to great lengths to ensure the security and availability of vcloud Air services. In this effort VMware has completed an independent third party examination of vcloud Air against applicable regulatory
More informationHIPAA COMPLIANCE AND
INTRONIS CLOUD BACKUP & RECOVERY HIPAA COMPLIANCE AND DATA PROTECTION CONTENTS Introduction 3 The HIPAA Security Rule 4 The HIPAA Omnibus Rule 6 HIPAA Compliance and Intronis Cloud Backup and Recovery
More informationSecuring the FOSS VistA Stack HIPAA Baseline Discussion. Jack L. Shaffer, Jr. Chief Operations Officer
Securing the FOSS VistA Stack HIPAA Baseline Discussion Jack L. Shaffer, Jr. Chief Operations Officer HIPAA as Baseline of security: To secure any stack which contains ephi (electonic Protected Health
More informationAppendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice
Appendix 4-2: Administrative, Physical, and Technical Safeguards Breach Notification Rule How Use this Assessment The following sample risk assessment provides you with a series of sample questions help
More informationHIPAA Requirements for Data Security
HIPAA Requirements for Data Security Dennis Schmidt, HIPAA Security Officer UNC School of Medicine March, 2012 What does HIPAA Compliant Mean? It depends! The HIPAA Security Rule does not give many specific
More informationVendor Management Challenges and Solutions for HIPAA Compliance. Jim Sandford Vice President, Coalfire
Vendor Management Challenges and Solutions for HIPAA Compliance Jim Sandford Vice President, Coalfire Housekeeping You may submit questions throughout the webinar using the question area in the control
More informationHIPAA Privacy and Security Requirements
600 East Superior Street, Suite 404 I Duluth, MN 55802 I Ph. 800.997.6685 or 218.727.9390 I www.ruralcenter.org HIPAA Privacy and Security Requirements Joe Wivoda CIO and HIT Consultant June 19, 2013 Purpose
More informationHealth Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)
Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Table of Contents Introduction... 1 1. Administrative Safeguards...
More informationHIPAA and the HITECH Act Privacy and Security of Health Information in 2009
HIPAA and the HITECH Act Privacy and Security of Health Information in 2009 What is HIPAA? Health Insurance Portability & Accountability Act of 1996 Effective April 13, 2003 Federal Law HIPAA Purpose:
More informationThe Challenges of Applying HIPAA to the Cloud. Adam Greene, Partner Davis Wright Tremaine LLP
The Challenges of Applying HIPAA to the Cloud Adam Greene, Partner Davis Wright Tremaine LLP AGENDA Key Concepts Under HIPAA HIPAA Obligations for a BA Questions Remain Reaching Answers Resources KEY CONCEPTS
More informationBusiness Associates, HITECH & the Omnibus HIPAA Final Rule
Business Associates, HITECH & the Omnibus HIPAA Final Rule HIPAA Omnibus Final Rule Changes Business Associates Marissa Gordon-Nguyen, JD, MPH Health Information Privacy Specialist Office for Civil Rights/HHS
More informationThis is the third and final presentation on HIPAA Security Administrative Safeguards. This presentation focuses on the last 2 standards under the
This is the third and final presentation on HIPAA Security Administrative Safeguards. This presentation focuses on the last 2 standards under the HIPAA Security rule: Contingency planning and evaluation.
More informationHIPAA/HITECH: A Guide for IT Service Providers
HIPAA/HITECH: A Guide for IT Service Providers Much like Arthur Dent in the opening scene of The Hitchhiker s Guide to the Galaxy (HHGTTG), you re experiencing the impact of new legislation that s infringing
More informationThe second section of the HIPAA Security Rule is related to physical safeguards. Physical safeguards are physical measures, policies and procedures
The second section of the HIPAA Security Rule is related to physical safeguards. Physical safeguards are physical measures, policies and procedures to protect and secure a covered entity s electronic information
More informationHIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics
HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 5. 2. Security Standards - Organizational, Security Policies Standards & Procedures, - Administrative and Documentation Safeguards
More informationHIPAA Security Checklist
HIPAA Security Checklist The following checklist summarizes HIPAA Security Rule requirements that should be implemented by covered entities and business associates. The citations are to 45 CFR 164.300
More informationHIPAA Audit Processes HIPAA Audit Processes. Erik Hafkey Rainer Waedlich
HIPAA Audit Processes Erik Hafkey Rainer Waedlich 1 Policies for all HIPAA relevant Requirements and Regulations Checklist for an internal Audit Process Documentation of the compliance as Preparation for
More informationHIPAA Security. 5 Security Standards: Organizational, Policies. Security Topics. and Procedures and Documentation Requirements
HIPAA Security S E R I E S Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical
More informationOCR HIPAA Audit Readiness. ISACA - North Texas Chapter April 11, 2013
ISACA - North Texas Chapter April 11, 2013 Introduction 1 2 Basic components of HIPAA and HITECH legislation HITECH and rising breaches 3 4 OCR HIPAA audits Key findings of the pilot audits 5 Approaches
More informationHIPAA Security Matrix
HIPAA Matrix Hardware : 164.308(a)(1) Management Process =Required, =Addressable Risk Analysis The Covered Entity (CE) can store its Risk Analysis document encrypted and offsite using EVault managed software
More informationHIPAA Privacy & Security White Paper
HIPAA Privacy & Security White Paper Sabrina Patel, JD +1.718.683.6577 sabrina@captureproof.com Compliance TABLE OF CONTENTS Overview 2 Security Frameworks & Standards 3 Key Security & Privacy Elements
More informationLessons Learned from Recent HIPAA Enforcement Actions, Breaches, and Audit. Iliana L. Peters, J.D., LL.M. April 23, 2014
Lessons Learned from Recent HIPAA Enforcement Actions, Breaches, and Audit Iliana L. Peters, J.D., LL.M. April 23, 2014 OCR RULEMAKING UPDATE What s Done? What s to Come? What s Done: Interim Final Rules
More informationHIPAA PRIVACY AND SECURITY AWARENESS
HIPAA PRIVACY AND SECURITY AWARENESS Introduction The Health Insurance Portability and Accountability Act (known as HIPAA) was enacted by Congress in 1996. HIPAA serves three main purposes: To protect
More informationHIPAA Privacy Rule Policies
DRAFT - Policies and Procedures PRIVACY OFFICE ASSIGNMENT AND RESPONSIBILITIES APPROVED BY: SUPERCEDES POLICY: Policy #1 ADOPTED: REVISED: REVIEWED: Purpose This policy is designed to assure the establishment
More informationADDENDUM #1 REQUEST FOR PROPOSALS 2015-151
ADDENDUM #1 REQUEST FOR PROPOSALS 2015-151 HIPAA/HITECH/OMNIBUS Act Compliance Consulting Services TO: FROM: CLOSING DATE: SUBJECT: All Potential Responders Angie Williams, RFP Coordinator September 24,
More informationHIPAA Privacy and Security Risk Assessment and Action Planning
HIPAA Privacy and Security Risk Assessment and Action Planning Practice Name: Participants: Date: MU Stage: EHR Vendor: Access Control Unique ID and PW for Users (TVS016) Role Based Access (TVS023) Account
More informationMontclair State University. HIPAA Security Policy
Montclair State University HIPAA Security Policy Effective: June 25, 2015 HIPAA Security Policy and Procedures Montclair State University is a hybrid entity and has designated Healthcare Components that
More informationUse & Disclosure of Protected Health Information by Business Associates
Applicability: Policy Title: Policy Number: Use & Disclosure of Protected Health Information by Business Associates PP-12 Superseded Policy(ies) or Entity Policy: N/A Date Established: January 31, 2003
More informationPRIVACY POLICIES AND FORMS FOR BUSINESS ASSOCIATES
PRIVACY POLICIES AND FORMS FOR BUSINESS ASSOCIATES TABLE OF CONTENTS A. Overview of HIPAA Compliance Program B. General Policies 1. Glossary of Defined Terms Used in HIPAA Policies and Procedures 2. Privacy
More informationDSHS CA Security For Providers
DSHS CA Security For Providers Pablo F Matute DSHS Children's Information Security Officer 7/21/2015 1 Data Categories: An Overview All DSHS-owned data falls into one of four categories: Category 1 - Public
More informationWhat s New with HIPAA? Policy and Enforcement Update
What s New with HIPAA? Policy and Enforcement Update HHS Office for Civil Rights New Initiatives Precision Medicine Initiative (PMI), including Access Guidance Cybersecurity Developer portal NICS Final
More informationLessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd
Lessons Learned from Recent HIPAA and Big Data Breaches Briar Andresen Katie Ilten Ann Ladd Recent health care breaches Breach reports to OCR as of February 2015 1,144 breaches involving 500 or more individual
More informationSecurity Is Everyone s Concern:
Security Is Everyone s Concern: What a Practice Needs to Know About ephi Security Mert Gambito Hawaii HIE Compliance and Privacy Officer July 26, 2014 E Komo Mai! This session s presenter is Mert Gambito
More informationHIPAA Security COMPLIANCE Checklist For Employers
Compliance HIPAA Security COMPLIANCE Checklist For Employers All of the following steps must be completed by April 20, 2006 (April 14, 2005 for Large Health Plans) Broadly speaking, there are three major
More informationMy Docs Online HIPAA Compliance
My Docs Online HIPAA Compliance Updated 10/02/2013 Using My Docs Online in a HIPAA compliant fashion depends on following proper usage guidelines, which can vary based on a particular use, but have several
More informationImplications of HIPAA Requirements on Healthcare Payment Processing
Implications of HIPAA Requirements on Healthcare Payment Processing Linda M Wolverton Vice President, Compliance, TEAMHealth Lynne Pearson Vice President, National Healthcare Treasury Management Fifth
More informationOCR UPDATE Breach Notification Rule & Business Associates (BA)
OCR UPDATE Breach Notification Rule & Business Associates (BA) Alicia Galan Supervisory Equal Opportunity Specialist March 7, 2014 HITECH OMNIBUS A Reminder of What s Included: Final Modifications of the
More informationPreparing for the HIPAA Security Rule
A White Paper for Health Care Professionals Preparing for the HIPAA Security Rule Introduction The Health Insurance Portability and Accountability Act (HIPAA) comprises three sets of standards transactions
More informationHIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist
HIPAA Omnibus Rule Overview Presented by: Crystal Stanton MicroMD Marketing Communication Specialist 1 HIPAA Omnibus Rule - Agenda History of the Omnibus Rule What is the HIPAA Omnibus Rule and its various
More informationU.S. Department of Health and Human Services (HHS) The Office of the National Coordinator for Health Information Technology (ONC)
U.S. Department of Health and Human Services (HHS) The Office of the National Coordinator for Health Information Technology (ONC) Security Risk Assessment (SRA) Tool User Guide Version Date: March 2014
More informationOCR s Anatomy: HIPAA Breaches, Investigations, and Enforcement
OCR s Anatomy: HIPAA Breaches, Investigations, and Enforcement Clinton Mikel The Health Law Partners, P.C. Alessandra Swanson U.S. Department of Health and Human Services - Office for Civil Rights Disclosure
More informationHIPAA and Mental Health Privacy:
HIPAA and Mental Health Privacy: What Social Workers Need to Know Presenter: Sherri Morgan, JD, MSW Associate Counsel, NASW Legal Defense Fund and Office of Ethics & Professional Review 2010 National Association
More informationSustainable Compliance: A System for Ongoing Audit Readiness
View the Replay on YouTube Sustainable Compliance: A System for Ongoing Audit Readiness FairWarning Executive Webinar Series November 14, 2013 Agenda Sustainable Compliance at St. Charles Health System
More informationHeather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com
Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com HIPAA Privacy Rule Sets standards for confidentiality and privacy of individually
More informationData Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, 2014 2:15pm 3:30pm
Electronic Health Records: Data Security and Integrity of e-phi Worcester, MA Wednesday, 2:15pm 3:30pm Agenda Introduction Learning Objectives Overview of HIPAA HIPAA: Privacy and Security HIPAA: The Security
More informationWHITE PAPER. HIPAA-Compliant Data Backup and Disaster Recovery
WHITE PAPER HIPAA-Compliant Data Backup and Disaster Recovery DOCUMENT INFORMATION HIPAA-Compliant Data Backup and Disaster Recovery PRINTED March 2011 COPYRIGHT Copyright 2011 VaultLogix, LLC. All Rights
More informationCHIS, Inc. Privacy General Guidelines
CHIS, Inc. and HIPAA CHIS, Inc. provides services to healthcare facilities and uses certain protected health information (PHI) in connection with performing these services. Therefore, CHIS, Inc. is classified
More informationSAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION
SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION Please Note: 1. THIS IS NOT A ONE-SIZE-FITS-ALL OR A FILL-IN-THE BLANK COMPLIANCE PROGRAM.
More information2011 2012 Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec.
The OCR Auditors are coming - Are you next? What to Expect and How to Prepare On June 10, 2011, the U.S. Department of Health and Human Services Office for Civil Rights ( OCR ) awarded KPMG a $9.2 million
More informationOnline Backup by Mozy. Common Questions
Online Backup by Mozy Common Questions Document Revision Date: June 29, 2012 Online Backup by Mozy Common Questions 1 What is Online Backup by Mozy? Online Backup by Mozy is a secure online data backup
More informationCan Your Diocese Afford to Fail a HIPAA Audit?
Can Your Diocese Afford to Fail a HIPAA Audit? PETULA WORKMAN & PHIL BUSHNELL MAY 2016 2016 ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS Agenda Overview Privacy Security Breach Notification Miscellaneous
More informationSecurity Compliance, Vendor Questions, a Word on Encryption
Security Compliance, Vendor Questions, a Word on Encryption Alexis Parsons, RHIT, CPC, MA Director, Health Information Services Security/Privacy Officer Shasta Community Health Center aparsons@shastahealth.org
More informationSolutions Brief. Citrix Solutions for Healthcare and HIPAA Compliance. citrix.com/healthcare
Solutions Brief Citrix Solutions for Healthcare and HIPAA Compliance citrix.com/healthcare While most people are well aware of the repercussions of losing personal or organizational data from identity
More informationHIPAA Orientation. Health Insurance Portability and Accountability Act
HIPAA Orientation Health Insurance Portability and Accountability Act HIPAA Federal legislation enacted in 1996 to improve the efficiency and effectiveness of electronic information transfers used in the
More informationHIPAA Security and HITECH Compliance Checklist
HIPAA Security and HITECH Compliance Checklist A Compliance Self-Assessment Tool HIPAA SECURITY AND HITECH CHECKLIST The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires physicians
More informationHIPAA Security Risk Analysis for Meaningful Use
HIPAA Security Risk Analysis for Meaningful Use NOTE: Make sure your computer speakers are turned ON. Audio will be streaming through your speakers. If you do not have computer speakers, call the ACCMA
More informationHow To Write A Health Care Security Rule For A University
INTRODUCTION HIPAA Security Rule Safeguards Recommended Standards Developed by: USF HIPAA Security Team May 12, 2005 The Health Insurance Portability and Accountability Act (HIPAA) Security Rule, as a
More informationNew HIPAA Rules and EHRs: ARRA & Breach Notification
New HIPAA Rules and EHRs: ARRA & Breach Notification Jim Sheldon-Dean Director of Compliance Services Lewis Creek Systems, LLC www.lewiscreeksystems.com and Raj Goel Chief Technology Officer Brainlink
More informationPrivacy and Security Meaningful Use Requirement HIPAA Readiness Review
Privacy and Security Meaningful Use Requirement HIPAA Readiness Review REACH - Achieving - Achieving meaningful meaningful use of your use EHR of your EHR Patti Kritzberger, RHIT, CHPS ND e-health Summit
More informationAHLA. B. HIPAA Compliance Audits. Marti Arvin Chief Compliance Officer UCLA Health System and David Geffen School of Medicine Los Angeles, CA
AHLA B. HIPAA Compliance Audits Marti Arvin Chief Compliance Officer UCLA Health System and David Geffen School of Medicine Los Angeles, CA Anna C. Watterson Davis Wright Tremaine LLP Washington, DC Fraud
More informationInformation Security and Privacy. WHAT are the Guidelines? HOW is it to be done? WHY is it done?
Information Security and Privacy WHAT are the Guidelines? HOW is it to be done? WHY is it done? 1 WHAT are the guidelines O Be in compliance of Federal/State Laws O Federal: O HIPAA - 1996 O HITECH - 2009
More informationHIPAA: In Plain English
HIPAA: In Plain English Material derived from a presentation by Kris K. Hughes, Esq. Posted with permission from the author. The Health Insurance Portability and Accountability Act of 1996 (HIPAA), Pub.
More informationApptix Online Backup by Mozy
Apptix Online Backup by Mozy What is Apptix Online Backup by Mozy? Apptix Online Backup by Mozy is a secure online data backup service. It's a simple, smart, and economical way to protect your data from
More informationTOP 10 Security Questions Introduction Breaches and other privacy and security incidents in healthcare are on the rise due to the vast size of the industry and the oneoffs of protected health information
More informationARTICLE 14 INFORMATION PRIVACY AND SECURITY PROVISIONS
A. This Article is intended to protect the privacy and security of specified County information that Contractor may receive, access, or transmit, under this Agreement. The County information covered under
More informationAGENDA HIP Ho AA w i rivacy d The B reach Happen? I P nc AA Secu dent R rit esp y o nse Corrective Action Plan What We Learned ACRONYMS USED
Michael Almvig Skagit County Information Services Director 1 AGENDA 1 2 HIPAA How Did Privacy The Breach Happen? HIPAA Incident Security Response 3 Corrective Action Plan 4 What We Learned Questions? ACRONYMS
More informationThe Must Have Tools To Address Your Compliance Challenge
The Must Have Tools To Address Your Compliance Challenge Industry leading Education October 21 - Top 5 tools to help you achieve HIPAA compliance November 11 - Saving time and money through web-based benefits
More informationContents. Instructions for Using Online HIPAA Security Plan Generation Tool
Instructions for Using Online HIPAA Security Plan Generation Tool Contents Step 1 Set Up Account... 2 Step 2 : Fill out the main section of the practice information section of the web site.... 3 The next
More informationProcedure Title: TennDent HIPAA Security Awareness and Training
Procedure Title: TennDent HIPAA Security Awareness and Training Number: TD-QMP-P-7011 Subject: Security Awareness and Training Primary Department: TennDent Effective Date of Procedure: 9/23/2011 Secondary
More informationWhat is HIPAA? The Health Insurance Portability and Accountability Act of 1996
What is HIPAA? The Health Insurance Portability and Accountability Act of 1996 BASIC QUESTIONS AND ANSWERS What Does HIPAA do? Creates national standards to protect individuals' medical records and other
More informationEmpowering Nurses & Building Trust Through Health IT
Empowering Nurses & Building Trust Through Health IT Helen Caton-Peters, MSN, RN Health Information Privacy & Security Specialist Office of the National Coordinator for Health Information Technology 2
More informationBEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050
BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050 Adopting Multnomah County HIPAA Security Policies and Directing the Appointment of Information System Security
More informationAuthorized. User Agreement
Authorized User Agreement CareAccord Health Information Exchange (HIE) Table of Contents Authorized User Agreement... 3 CareAccord Health Information Exchange (HIE) Polices and Procedures... 5 SECTION
More informationHIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing
HIPAA Omnibus Rule Practice Impact Kristen Heffernan MicroMD Director of Prod Mgt and Marketing 1 HIPAA Omnibus Rule Agenda History of the Rule HIPAA Stats Rule Overview Use of Personal Health Information
More information