VMware vcloud Air HIPAA Matrix

Size: px
Start display at page:

Download "VMware vcloud Air HIPAA Matrix"

Transcription

1 goes to great lengths to ensure the security and availability of vcloud Air services. In this effort VMware has completed an independent third party examination of vcloud Air against applicable regulatory requirements of of HIPAA to service the needs and requirements of our Healthcare Industry customers. To help customers comply with HIPAA, VMware offers a Business Associate Agreement (BAA) to all interested customers using our US- based data centers. The BAA was designed in conjunction with a leading law firm with expertise in HIPAA and provides fair and reasonable terms for healthcare providers, insurers, and other organizations. A high- level overview of this program is available online: air/hipaa- hitech- compliance- using- vmware- vcloud- air.pdf This document serves as a detailed account of the controls outlined in the vcloud Air Information Security Management System as it relates to HIPAA requirements. The Information Security Management System (ISMS) governing the vcloud Air service addresses essential elements of the HIPAA Security Rule and the HITECH Act. The criteria used in making this assertion were the information security program detail, and applicable control implementation guidance, located in the HIPAA Security Rule and HITECH requirement documentation. These controls include the following standards and specifications: Administrative Safeguards; Physical Safeguards; Technical Safeguards and Breach Notification This matrix includes all of the HIPAA and HITECH regulations that vcloud Air has been assessed against by an independent third- party audit firm. This matrix is a tool that can assist your organization in quickly identifying the applicable regulations that the vcloud Air service is in compliance with and the control activity that satisfy those regulations. **DISCLAIMER The scope of the vcloud Air HIPAA assessment and of this document is strictly limited to the regulations as they apply to VMware delivering the vcloud Air service. Any regulations listed with an N/A are regulations deemed to be outside the scope of VMware s responsibility. All regulations applicable to covered entities are assumed to be the customer s responsibility. This matrix should be used as guidance only and is not a guarantee that a customer is in compliance with the HIPAA regulations based on vcloud Air s assessment against the HIPAA and HITECH regulations. 1

2 To request a copy of the vcloud Air HIPAA assessment report, please contact your VMware salesperson. Regulation (a)(1)(i) Standard: Security Management Process. A covered entity or business associate must implement policies and procedures to prevent, detect, contain, and correct security violations (a)(1)(ii)(A) conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate (a)(1)(ii)(B) implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with (a) (a)(1)(ii)(C) apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity or business associate (a)(1)(ii)(D) Control Activity Administrative Safeguards vcloud Air has documented policies and procedures in place to guide personnel in security practices, including but not limited to information security policy, access control policy and a risk management framework. Documented policies and procedures are in place to guide personnel in performing risk assessments on a periodic basis. A risk assessment is conducted on at least an annual basis. Additionally, information technology security awareness and HIPAA privacy awareness training programs are in place to communicate VMware security and HIPAA privacy policies to employees on an annual basis. Documented HIPAA violation sanction policies and procedures are in place to guide compliance personnel in applying sanctions to employees who fail to comply with security policies. 2

3 implement procedures to regularly review records of information system activity such as audit logs, access reports, and security incident tracking (a)(2) identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart for the covered entity or business associate (a)(3)(i) Standard: Workforce Security. A covered entity or procedures to ensure that all members of its workforce have appropriate access to EPHI, as provided under (a)(4), and to prevent those workforce members who do not have access from obtaining access to EPHI (a)(3)(ii)(A) implement procedures for the authorization and/or supervision of workforce members who work with EPHI or in locations where it might be accessed (a)(3)(ii)(B) implement procedures to determine that the access of a workforce member to EPHI is appropriate (a)(3)(ii)(C) Security monitoring applications and manual reviews are used to monitor and analyze in- scope systems. Tracking tools for incidents are in place and user access reviews are regularly performed to help ensure that access to data is restricted to authorized personnel. The vice president of information security is designated to develop, maintain, review, and approve the security policies. Documented policies and procedures are in place to guide personnel in adding new users, modifying access levels, and removing users who no longer need access. User access reviews are regularly performed to help ensure that access to data is restricted to authorized personnel. Documented policies and procedures are in place to guide personnel in the initial authorization and onboarding of new employees. Any changes to access levels during employment are also documented via a ticketing system. Documented access authorization policies are in place to guide personnel in granting access to electronic protected health information. User access reviews are regularly performed to help ensure that access to data is restricted to authorized personnel. Documented policies and procedures are in place to guide personnel in removing 3

4 implement procedures for terminating access to EPHI when the employment of, or other arrangement with, a workforce member ends or as required by determinations made as specified in paragraph (a)(3)(ii)(b) (a)(4)(i) Standard: Information Access Management. A covered entity or business associate must implement policies and procedures for authorizing access to EPHI that are consistent with the applicable requirements of subpart E of this part (a)(4)(ii)(A) If a health care clearinghouse is part of a larger organization, the clearinghouse must procedures that protect EPHI of the clearinghouse from unauthorized access by the larger organization (a)(4)(ii)(B) procedures for granting access to EPHI, for example, through access to a workstation, transaction, program, process or other mechanism (a)(4)(ii)(C) procedures that, based upon the covered entity s or business associate s access for terminated employees. Documented policies and procedures are in place to guide personnel in the initial authorization and onboarding of new employees. Any changes to access levels during employment are also documented via a ticketing system. N/A Documented policies and procedures are in place to guide personnel in the initial authorization and onboarding of new employees. Any changes to access levels during employment are also documented via a ticketing system. Documented policies and procedures are in place to guide personnel in the initial authorization and onboarding of new employees. Any changes to access levels during employment are also documented via a ticketing system. A termination form is completed and access revoked for employees as a component of the employee termination process. 4

5 access authorization policies, establish, document, review, and modify a user s right of access to a workstation, transaction, program, or process (a)(5)(i) Standard: Security Awareness Training: A covered entity or business associate must implement a security awareness and training program for all members of its workforce (including management) (a)(5)(ii)(A) provide periodic information security updates (a)(5)(ii)(B) implement procedures for guarding against, detecting, and reporting malicious software (a)(5)(ii)(C) implement procedures for monitoring login attempts and reporting discrepancies (a)(5)(ii)(D) implement procedures for creating, changing, and safeguarding passwords (a)(6)(i) Standard: Security Incident Procedures: A covered entity or business associate must implement policies and procedures to A security awareness training program is in place to communicate the security obligations of internal users and employees are required to complete training annually. The VMware information technology security group monitors the security impact of potential security vulnerabilities and emerging technologies, and the impact of applicable laws or regulations are considered by senior management. A central antivirus server is configured with antivirus software to protect registered production Windows and Mac workstations and Windows production servers. Security monitoring applications and manual reviews by the security operations personnel are utilized to monitor and analyze the in- scope systems for possible or actual security breaches. The in- scope systems are configured to enforce predefined user account and minimum password requirements. Documented incident response policies and procedures for reporting security incidents are in place to guide personnel in identifying, reporting, and acting upon system security incidents. 5

6 address security incidents (a)(6)(ii) identify and respond to suspected or known security incidents; mitigate, to the extent practicable, the harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes (a)(7)(i) Standard: Contingency Plan: establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain EPHI (a)(7)(ii)(A) establish and implement procedures to create and maintain retrievable exact copies of EPHI (a)(7)(ii)(B) establish (and implement as needed) procedures to restore any loss data (a)(7)(ii)(C) establish (and implement as needed) procedures to enable continuation of critical business processes Documented incident response policies and procedures are in place to guide personnel in responding to suspected security incidents and to mitigate the effects of any security incidents. Disaster recovery plans are in place and tested regularly to guide personnel in procedures to protect against disruptions caused by an unexpected event. An automated backup system is in place to perform scheduled backups of production data and systems on a daily basis. IT operations personnel perform backup media restores as a component of normal business operations to verify that system components can be recovered from system backups. Documented disaster recovery plans are in place to guide personnel in restoring lost data. Documented contingency plans are in place to guide personnel in the continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode. 6

7 and for protection of the security of EPHI while operating in emergency mode (a)(7)(ii)(D) implement procedures for periodic testing and revision of contingency plans (a)(7)(ii)(E) assess the relative criticality of specific applications and data in support of other contingency plan components (a)(8) Standard: Evaluation. A covered entity or business associate must perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and, subsequently, in response to environmental or operational changes affecting the security of EPHI, that establishes the extent to which a covered entity's or business associate's security policies and procedures meet the requirements of this subpart (b)(1) A covered entity may permit a business associate to create, receive, maintain, or transmit EPHI on the covered entity s behalf only if the covered entity obtains satisfactory assurances, in accordance Disaster recovery plans are in place and tested regularly to guide personnel in procedures to protect against disruptions caused by an unexpected event. Business continuity and disaster recovery plans are documented and include criticality assessments of applications and data to support the contingency plan. A risk assessment is conducted on at least an annual basis and policies and procedures are updated periodically based on results of operational and environment risk assessments. N/A 7

8 with (a) that the business associate or subcontractor business associate will appropriately safeguard the information. A covered entity is not required to obtain such satisfactory assurances from a business associate that is a subcontractor (b)(2) A business associate may permit a business associate that is a subcontractor to create, receive, maintain, or transmit EPHI on its behalf only if the business associate obtains satisfactory assurances, in accordance with (a), that the subcontractor will appropriately safeguard the information (b)(3) Document the satisfactory assurances required by paragraph (b)(1) or (b)(2) of this section through a written contract or other arrangement with the business associate that meets the applicable requirements of (a) (a)(1)(i) Standard: Facility Access Control. A covered entity or procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed. Nondisclosure agreements are utilized to document requirements for handling personal information by third parties. Physical Safeguards N/A Documented policies and procedures are in place for physical access to help ensure that properly authorized access is allowed to electronic information systems. 8

9 (a)(2)(i) establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency (a)(2)(ii) procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft (a)(2)(iii) implement procedures to control and validate a person s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision (a)(2)(iv) procedures to document repairs and modifications to the physical components of a facility, which are related to security (for example, hardware, walls, doors, and locks) (b) Standard: Workstation Use. Disaster recovery plans are in place and tested regularly to guide personnel in procedures to protect against disruptions caused by an unexpected event. Documented policies and procedures are in place for physical access to help ensure that properly authorized access is allowed to electronic information systems. Procedures are in place to control and validate access to facilities based on role or function, including visitor control, and control of access to software programs for testing and revision. Documented policies and procedures are in place to document repairs and modifications to the physical components of a facility, which are related to security (for example, hardware, walls, doors, and locks). Personnel are required to adhere to acceptable use policies while performing respective job duties. Additionally, policies and procedures are in place to guide personnel in workstation security to apply appropriate protection to unattended 9

10 procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access EPHI (c) Standard: Workstation Security. A covered entity or implement physical safeguards for all workstations that access EPHI to restrict access to authorized users (d)(1) Standard: Device and Media Controls. A covered entity or business associate must implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain EPHI into and out of a facility, and the movement of these items within the facility (d)(2)(i) procedures to address final disposition of EPHI, and/or hardware or electronic media on which it is stored (d)(2)(ii) implement procedures for removal of EPHI from electronic media before the media are available for equipment. Documented policies and procedures are in place to guide personnel in workstation security and usage. Additionally, documented physical access policies and procedures are in place to guide personnel in physical security practices. Documented hardware and media accountability policies and procedures are in place to guide personnel in device and media control practices. A documented media disposal policy is in place to guide personnel in the disposal of sensitive data and information. A documented media re- use policy is in place to guide personnel in media re- use practices. 10

11 reuse (d)(2)(iii) maintain a record of the movements of hardware and electronic media and the person responsible for its movement (d)(2)(iv) create a retrievable, exact copy of EPHI, when needed, before movement of equipment (a)(1) Standard: Access Control. implement technical policies and procedures for electronic information systems that maintain EPHI to allow access only to those persons or software programs that have been granted access rights as specified in Sec (a)(4) (a)(2)(i) assign a unique name and/or number for identifying and tracking user identity (a)(2)(ii) establish (and implement as needed) procedures for obtaining for obtaining necessary EPHI during an emergency (a)(2)(iii) VMware IT management maintains and inventory listing to track movement of hardware and electronic media. Documented policies and procedure are in place to guide personnel in asset security during movements of hardware and electronic media. An automated backup system is in place to perform scheduled backups of production data and systems on a daily basis. IT operations personnel also perform backup media restores as a component of normal business operations to verify that system components can be recovered from system backups. Technical Safeguards Documented policies and procedures are in place to guide personnel in limiting access control to only those persons or systems that have been granted access. Additionally, administrative access privileges to the in- scope systems are restricted to user accounts accessible by authorized personnel. The in- scope systems are configured to enforce predefined user account and minimum password requirements. Disaster recovery plans are in place to guide personnel in procedures to protect against disruptions caused by an unexpected event. The in- scope systems are configured to lock or log off user sessions after a predefined inactivity threshold. 11

12 implement electronic procedures that terminate an electronic session after a predetermined time of inactivity (a)(2)(iv) mplement a mechanism to encrypt and decrypt EPHI (b) Standard: Audit Controls. A covered entity or business associate must implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use EPHI (c)(1) Standard: Integrity. A covered entity or business associate must implement policies and procedures to protect EPHI from improper alteration or destruction (c)(2) implement electronic mechanisms to corroborate that EPHI has not been altered or destroyed in an unauthorized manner (d) Standard: Person or Entity Authentication. Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed (e)(1) Web servers utilize SSL encryption for web communication sessions. Encrypted VPNs are required for remote access to help ensure the security and integrity of the data passing over the public network. Security monitoring applications are utilized to monitor network events and configured to produce a monitoring report on a daily basis. Documented data integrity policies and procedures are in place to guide personnel in data integrity practices. N/A The in- scope systems are configured to enforce predefined user account and minimum password requirements. Web servers utilize SSL encryption for web communication sessions. Encrypted VPNs 12

13 Standard: Transmission Security. A covered entity or implement technical security measures to guard against unauthorized access to EPHI that is being transmitted over an electronic communications network (e)(2)(i) Implement security measures to ensure that electronically transmitted EPHI is not improperly modified without detection until disposed of (e)(2)(ii) implement a mechanism to encrypt EPHI whenever deemed appropriate (a)(1) A business associate shall, following the discovery of a breach of unsecured protected health information, notify covered entity of breach. are required for remote access to help ensure the security and integrity of the data passing over the public network. N/A N/A HITECH Breach Notification Safeguards Documented policies and procedures are in place to guide personnel in notifying the covered entity upon discovery of a breach of unsecured protected health information no later than 30 days following the discovery (a)(2) For purposes of paragraph (a)(1) of this section, a breach shall be treated as discovered by a business associate as of the first day on which such breach is known to the business associate or, by exercising reasonable diligence, would have been known to the business associate. A business associate shall be deemed to have knowledge of a breach if the breach is known, or by exercising reasonable Documented policies and procedures are in place to guide personnel in responding to discovery of a breach. 13

14 diligence would have been known, to any person, other than the person committing the breach, who is an employee, officer, or other agent of the business associate (determined in accordance with the Federal common law of agency) (b) Except as provided in , a business associate shall provide the notification required by paragraph (a) of this section without unreasonable delay and in no case later than 60 calendar days after discovery of a breach (c)(1) The notification required by paragraph (a) of this section shall include, to the extent possible, the identification of each individual whose unsecured protected health information has been, or is reasonably believed by the business associate to have been, accessed, acquired, used, or disclosed during the breach. Documented policies and procedures are in place to guide personnel in responding to discovery of a breach. Notification to covered entity upon discovery of a breach of unsecured protected health information no later than 30 days following the discovery. Documented policies and procedures are in place to guide personnel in notifying the covered entity upon discovery of a breach of unsecured protected health information and include, to the extent possible, the identification of each individual(s) whose unsecured protected health information was, or is reasonably believed to have been accessed, acquired, used or disclosure during the breach. 14

15 (c)(2) Business associate shall provide the covered entity with any other available information that the covered entity is required to include in notification to the individual under (c) at the time of the notification required by paragraph (a) of this section or promptly thereafter as information becomes available. Documented policies and procedures are in place to guide personnel in breach notifications, in plain language, to the covered entity that include. VMware, Inc Hillview Avenue Palo Alto CA USA Tel Fax Copyright 2014 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listed at VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies. 15

HIPAA Security Checklist

HIPAA Security Checklist HIPAA Security Checklist The following checklist summarizes HIPAA Security Rule requirements that should be implemented by covered entities and business associates. The citations are to 45 CFR 164.300

More information

HIPAA Audit Processes HIPAA Audit Processes. Erik Hafkey Rainer Waedlich

HIPAA Audit Processes HIPAA Audit Processes. Erik Hafkey Rainer Waedlich HIPAA Audit Processes Erik Hafkey Rainer Waedlich 1 Policies for all HIPAA relevant Requirements and Regulations Checklist for an internal Audit Process Documentation of the compliance as Preparation for

More information

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS Thank you for taking the time to fill out the privacy & security checklist. Once completed, this checklist will help us get a better

More information

SECURITY RISK ASSESSMENT SUMMARY

SECURITY RISK ASSESSMENT SUMMARY Providers Business Name: Providers Business Address: City, State, Zip Acronyms NIST FIPS PHI EPHI BA CE EHR HHS IS National Institute of Standards and Technology Federal Information Process Standards Protected

More information

An Effective MSP Approach Towards HIPAA Compliance

An Effective MSP Approach Towards HIPAA Compliance MAX Insight Whitepaper An Effective MSP Approach Towards HIPAA Compliance An independent review of HIPAA requirements, detailed recommendations and vital resources to aid in achieving compliance. Table

More information

HIPAA Security Series

HIPAA Security Series 7 Security Standards: Implementation for the Small Provider What is the Security Series? The security series of papers provides guidance from the Centers for Medicare & Medicaid Services (CMS) on the rule

More information

UNIVERSITY OF CALIFORNIA, SANTA CRUZ 2015 HIPAA Security Rule Compliance Workbook

UNIVERSITY OF CALIFORNIA, SANTA CRUZ 2015 HIPAA Security Rule Compliance Workbook Introduction Per UCSC's HIPAA Security Rule Compliance Policy 1, all UCSC entities subject to the HIPAA Security Rule ( HIPAA entities ) must implement the UCSC Practices for HIPAA Security Rule Compliance

More information

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 5. 2. Security Standards - Organizational, Security Policies Standards & Procedures, - Administrative and Documentation Safeguards

More information

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Table of Contents Introduction... 1 1. Administrative Safeguards...

More information

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification Type of Policy and Procedure Comments Completed Privacy Policy to Maintain and Update Notice of Privacy Practices

More information

HIPAA Information Security Overview

HIPAA Information Security Overview HIPAA Information Security Overview Security Overview HIPAA Security Regulations establish safeguards for protected health information (PHI) in electronic format. The security rules apply to PHI that is

More information

HIPAA Security and HITECH Compliance Checklist

HIPAA Security and HITECH Compliance Checklist HIPAA Security and HITECH Compliance Checklist A Compliance Self-Assessment Tool HIPAA SECURITY AND HITECH CHECKLIST The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires physicians

More information

Meaningful Use and Core Requirement 15

Meaningful Use and Core Requirement 15 Meaningful Use and Core Requirement 15 How can I comply the lack of time and staff... www.compliancygroup.com 1 Meaningful Use and Core Requirement 15 Meaningful Use Protection of Protected Health Information

More information

Krengel Technology HIPAA Policies and Documentation

Krengel Technology HIPAA Policies and Documentation Krengel Technology HIPAA Policies and Documentation Purpose and Scope What is Protected Health Information (PHI) and What is Not What is PHI? What is not PHI? The List of 18 Protected Health Information

More information

HIPAA Security Alert

HIPAA Security Alert Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information

More information

ITS HIPAA Security Compliance Recommendations

ITS HIPAA Security Compliance Recommendations ITS HIPAA Security Compliance Recommendations October 24, 2005 Updated May 31, 2010 http://its.uncg.edu/hipaa/security/ Table of Contents Introduction...1 Purpose of this Document...1 Important Terms...1

More information

HIPAA Security COMPLIANCE Checklist For Employers

HIPAA Security COMPLIANCE Checklist For Employers Compliance HIPAA Security COMPLIANCE Checklist For Employers All of the following steps must be completed by April 20, 2006 (April 14, 2005 for Large Health Plans) Broadly speaking, there are three major

More information

Healthcare Management Service Organization Accreditation Program (MSOAP)

Healthcare Management Service Organization Accreditation Program (MSOAP) ELECTRONIC HEALTHCARE NETWORK ACCREDITATION COMMISSION (EHNAC) Healthcare Management Service Organization Accreditation Program (MSOAP) For The HEALTHCARE INDUSTRY Version 1.0 Released: January 2011 Lee

More information

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics HIPAA Security S E R I E S Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical

More information

VMware vcloud Air SOC 1 Control Matrix

VMware vcloud Air SOC 1 Control Matrix SOC 1 Control Objectives/Activities Matrix goes to great lengths to ensure the security and availability of vcloud Air services. In this effort, we have undergone a variety of industry standard audits,

More information

Policies and Compliance Guide

Policies and Compliance Guide Brooklyn Community Services Policies and Compliance Guide relating to the HIPAA Security Rule June 2013 Table of Contents INTRODUCTION... 3 GUIDE TO BCS COMPLIANCE WITH THE HIPAA SECURITY REGULATION...

More information

HIPAA Security. assistance with implementation of the. security standards. This series aims to

HIPAA Security. assistance with implementation of the. security standards. This series aims to HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical

More information

SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION

SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION Please Note: 1. THIS IS NOT A ONE-SIZE-FITS-ALL OR A FILL-IN-THE BLANK COMPLIANCE PROGRAM.

More information

HIPAA Compliance Guide

HIPAA Compliance Guide HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care

More information

Healthcare Compliance Solutions

Healthcare Compliance Solutions Healthcare Compliance Solutions Let Protected Trust be your Safe Harbor In the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH), the U.S. Department of Health and Human

More information

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice Appendix 4-2: Administrative, Physical, and Technical Safeguards Breach Notification Rule How Use this Assessment The following sample risk assessment provides you with a series of sample questions help

More information

New Boundary Technologies HIPAA Security Guide

New Boundary Technologies HIPAA Security Guide New Boundary Technologies HIPAA Security Guide A New Boundary Technologies HIPAA Security Configuration Guide Based on NIST Special Publication 800-68 December 2005 1.0 Executive Summary This HIPAA Security

More information

HIPAA/HITECH Compliance Using VMware vcloud Air

HIPAA/HITECH Compliance Using VMware vcloud Air Last Updated: September 23, 2014 White paper Introduction This paper is intended for security, privacy, and compliance officers whose organizations must comply with the Privacy and Security Rules of the

More information

Healthcare Compliance Solutions

Healthcare Compliance Solutions Privacy Compliance Healthcare Compliance Solutions Trust and privacy are essential for building meaningful human relationships. Let Protected Trust be your Safe Harbor The U.S. Department of Health and

More information

City of Pittsburgh Operating Policies. Policy: HIPAA Privacy Policies Original Date: 1/2005 and Procedures Revised Date: 3/22/2010

City of Pittsburgh Operating Policies. Policy: HIPAA Privacy Policies Original Date: 1/2005 and Procedures Revised Date: 3/22/2010 City of Pittsburgh Operating Policies Policy: HIPAA Privacy Policies Original Date: 1/2005 and Procedures Revised Date: 3/22/2010 PURPOSE: To establish internal policies and procedures to ensure compliance

More information

AOA HIPAA SECURITY REGULATION COMPLIANCE MANUAL

AOA HIPAA SECURITY REGULATION COMPLIANCE MANUAL AOA HIPAA SECURITY REGULATION COMPLIANCE MANUAL August, 2013 HIPAA SECURITY REGULATION COMPLIANCE DOCUMENTS For (Practice name) (Street Address) (City, State, ZIP) Adopted (Date) 2 INTRODUCTION The federal

More information

HIPAA Security Matrix

HIPAA Security Matrix HIPAA Matrix Hardware : 164.308(a)(1) Management Process =Required, =Addressable Risk Analysis The Covered Entity (CE) can store its Risk Analysis document encrypted and offsite using EVault managed software

More information

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security. Topics

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security. Topics HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 5. 2. Security Standards - Organizational, Security Policies Standards & Proc - A edures, dministrativ and e Documentation Safeguards

More information

IBM Internet Security Systems. The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview

IBM Internet Security Systems. The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview IBM Internet Security Systems The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview Health Insurance Portability and Accountability Act

More information

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com HIPAA Privacy Rule Sets standards for confidentiality and privacy of individually

More information

Datto Compliance 101 1

Datto Compliance 101 1 Datto Compliance 101 1 Overview Overview This document provides a general overview of the Health Insurance Portability and Accounting Act (HIPAA) compliance requirements for Managed Service Providers (MSPs)

More information

Complying with 45 CFR 164 HIPAA Security Standards; Final Rule

Complying with 45 CFR 164 HIPAA Security Standards; Final Rule Complying with 45 CFR 164 HIPAA Security Standards; Final Rule Implement best practices by using FileMaker Pro 7 as the backbone of your HIPAA compliant system. By Todd Duell This final rule adopts standards

More information

HIPAA Security Rule Safeguards Recommended Standards Developed by: USF HIPAA Security Team May 12, 2005

HIPAA Security Rule Safeguards Recommended Standards Developed by: USF HIPAA Security Team May 12, 2005 INTRODUCTION HIPAA Security Rule Safeguards Recommended Standards Developed by: USF HIPAA Security Team May 12, 2005 The Health Insurance Portability and Accountability Act (HIPAA) Security Rule, as a

More information

HIPAA/HITECH: A Guide for IT Service Providers

HIPAA/HITECH: A Guide for IT Service Providers HIPAA/HITECH: A Guide for IT Service Providers Much like Arthur Dent in the opening scene of The Hitchhiker s Guide to the Galaxy (HHGTTG), you re experiencing the impact of new legislation that s infringing

More information

HIPAA Security. 5 Security Standards: Organizational, Policies. Security Topics. and Procedures and Documentation Requirements

HIPAA Security. 5 Security Standards: Organizational, Policies. Security Topics. and Procedures and Documentation Requirements HIPAA Security S E R I E S Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical

More information

An Oracle White Paper December 2010. Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance

An Oracle White Paper December 2010. Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance An Oracle White Paper December 2010 Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance Executive Overview... 1 Health Information Portability and Accountability Act Security

More information

HIPAA Secure Now! HIPAA Security and Omnibus Rules Overview

HIPAA Secure Now! HIPAA Security and Omnibus Rules Overview HIPAA Secure Now! HIPAA Security and Omnibus Rules Overview HIPAA Risk Assessment The HIPAA Security Rule requires that a Risk Assessment be completed. The purpose of a Risk Assessment is to: identify

More information

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE How to Use this Assessment The following risk assessment provides you with a series of questions to help you prioritize the development and implementation

More information

State HIPAA Security Policy State of Connecticut

State HIPAA Security Policy State of Connecticut Health Insurance Portability and Accountability Act State HIPAA Security Policy State of Connecticut Release 2.0 November 30 th, 2004 Table of Contents Executive Summary... 1 Policy Definitions... 3 1.

More information

HIPAA Security Rule Compliance

HIPAA Security Rule Compliance HIPAA Security Rule Compliance Caryn Reiker MAXIS360 HIPAA Security Rule Compliance what is it and why you should be concerned about it Table of Contents About HIPAA... 2 Who Must Comply... 2 The HIPAA

More information

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, 2014 2:15pm 3:30pm

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, 2014 2:15pm 3:30pm Electronic Health Records: Data Security and Integrity of e-phi Worcester, MA Wednesday, 2:15pm 3:30pm Agenda Introduction Learning Objectives Overview of HIPAA HIPAA: Privacy and Security HIPAA: The Security

More information

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

Privacy & Security: Fundamentals of a Security Risk Analysis. Preparing for Meaningful Use Measure 15

Privacy & Security: Fundamentals of a Security Risk Analysis. Preparing for Meaningful Use Measure 15 Privacy & Security: Fundamentals of a Security Risk Analysis Preparing for Meaningful Use Measure 15 1/18/2012 Why Are We Here? Privacy and Security is a priority for ONC Consistency among Regional Extension

More information

Security Manual for Protected Health Information

Security Manual for Protected Health Information Security Manual for Protected Health Information Revised September 2011 Contents PREFACE... 4 TTUHSC Operating Policy Regarding Privacy and Security... 5 1. DEFINITIONS:... 6 2. ADMINISTRATIVE SAFEGUARDS

More information

BREVIUM HIPAA BUSINESS ASSOCIATE TERMS AND CONDITIONS

BREVIUM HIPAA BUSINESS ASSOCIATE TERMS AND CONDITIONS BREVIUM HIPAA BUSINESS ASSOCIATE TERMS AND CONDITIONS The following HIPAA Business Associate Terms and Conditions (referred to hereafter as the HIPAA Agreement ) are part of the Brevium Software License

More information

M E M O R A N D U M. Definitions

M E M O R A N D U M. Definitions M E M O R A N D U M DATE: November 10, 2011 TO: FROM: RE: Krevolin & Horst, LLC HIPAA Obligations of Business Associates In connection with the launch of your hosted application service focused on practice

More information

Overview of the HIPAA Security Rule

Overview of the HIPAA Security Rule Office of the Secretary Office for Civil Rights () Overview of the HIPAA Security Rule Office for Civil Rights Region IX Alicia Cornish, EOS Sheila Fischer, Supervisory EOS Topics Upon completion of this

More information

PRIVACY POLICIES AND FORMS FOR BUSINESS ASSOCIATES

PRIVACY POLICIES AND FORMS FOR BUSINESS ASSOCIATES PRIVACY POLICIES AND FORMS FOR BUSINESS ASSOCIATES TABLE OF CONTENTS A. Overview of HIPAA Compliance Program B. General Policies 1. Glossary of Defined Terms Used in HIPAA Policies and Procedures 2. Privacy

More information

HIPAA and HITECH Regulations

HIPAA and HITECH Regulations HIPAA and HITECH Regulations Implications for Healthcare Organizations and their Business Associates A Primer on Achieving Compliance by KOM Networks 1 Contents Table of Contents Preface... 3 Target audience...

More information

CHIS, Inc. Privacy General Guidelines

CHIS, Inc. Privacy General Guidelines CHIS, Inc. and HIPAA CHIS, Inc. provides services to healthcare facilities and uses certain protected health information (PHI) in connection with performing these services. Therefore, CHIS, Inc. is classified

More information

Securing the FOSS VistA Stack HIPAA Baseline Discussion. Jack L. Shaffer, Jr. Chief Operations Officer

Securing the FOSS VistA Stack HIPAA Baseline Discussion. Jack L. Shaffer, Jr. Chief Operations Officer Securing the FOSS VistA Stack HIPAA Baseline Discussion Jack L. Shaffer, Jr. Chief Operations Officer HIPAA as Baseline of security: To secure any stack which contains ephi (electonic Protected Health

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( BAA ) is effective ( Effective Date ) by and between ( Covered Entity ) and Egnyte, Inc. ( Egnyte or Business Associate ). RECITALS

More information

Healthcare Network Accreditation Program (HNAP-EHN) Criteria

Healthcare Network Accreditation Program (HNAP-EHN) Criteria ELECTRONIC HEALTHCARE NETWORK ACCREDITATION COMMISSION (EHNAC) Healthcare Network Accreditation Program (HNAP-EHN) Criteria For The HEALTHCARE INDUSTRY Version 10.0 Release date: January 1, 2009 Lee Barrett,

More information

HIPAA Security. Jeanne Smythe, UNC-CH Jack McCoy, ECU Chad Bebout, UNC-CH Doug Brown, UNC-CH

HIPAA Security. Jeanne Smythe, UNC-CH Jack McCoy, ECU Chad Bebout, UNC-CH Doug Brown, UNC-CH HIPAA Security Jeanne Smythe, UNC-CH Jack McCoy, ECU Chad Bebout, UNC-CH Doug Brown, UNC-CH What is this? Federal Regulations August 21, 1996 HIPAA Became Law October 16, 2003 Transaction Codes and Identifiers

More information

Welcome to part 2 of the HIPAA Security Administrative Safeguards presentation. This presentation covers information access management, security

Welcome to part 2 of the HIPAA Security Administrative Safeguards presentation. This presentation covers information access management, security Welcome to part 2 of the HIPAA Security Administrative Safeguards presentation. This presentation covers information access management, security awareness training, and security incident procedures. The

More information

Telemedicine HIPAA/HITECH Privacy and Security

Telemedicine HIPAA/HITECH Privacy and Security Telemedicine HIPAA/HITECH Privacy and Security 1 Access Control Role Based Access The organization shall provide secure rolebased account management. Privileges granted utilizing the principle of least

More information

HIPAA Compliance: Are you prepared for the new regulatory changes?

HIPAA Compliance: Are you prepared for the new regulatory changes? HIPAA Compliance: Are you prepared for the new regulatory changes? Baker Tilly CARIS Innovation, Inc. April 30, 2013 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed

More information

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy Amended as of February 12, 2010 on the authority of the HIPAA Privacy Officer for Creative Solutions in Healthcare, Inc. TABLE OF CONTENTS ARTICLE

More information

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA SITA Information Security SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA September, 2012 Contents 1. Introduction... 3 1.1 Overview...

More information

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES HIPAA COMPLIANCE Achieving HIPAA Compliance with Security Professional Services The Health Insurance

More information

itrust Medical Records System: Requirements for Technical Safeguards

itrust Medical Records System: Requirements for Technical Safeguards itrust Medical Records System: Requirements for Technical Safeguards Physicians and healthcare practitioners use Electronic Health Records (EHR) systems to obtain, manage, and share patient information.

More information

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant 1 HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant Introduction U.S. healthcare laws intended to protect patient information (Protected Health Information or PHI) and the myriad

More information

HIPAA Compliance Guide

HIPAA Compliance Guide HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care

More information

HIPAA Assessment HIPAA Policy and Procedures

HIPAA Assessment HIPAA Policy and Procedures Sample Client HIPAA Assessment HIPAA Policy and Procedures Sample Client Prepared by: InhouseCIO, LLC CONFIDENTIALITY NOTE: The information contained in this report document is for the exclusive use of

More information

Develop HIPAA-Compliant Mobile Apps with Verivo Akula

Develop HIPAA-Compliant Mobile Apps with Verivo Akula Develop HIPAA-Compliant Mobile Apps with Verivo Akula Verivo Software 1000 Winter Street Waltham MA 02451 781.795.8200 sales@verivo.com Verivo Software 1000 Winter Street Waltham MA 02451 781.795.8200

More information

HIPAA: In Plain English

HIPAA: In Plain English HIPAA: In Plain English Material derived from a presentation by Kris K. Hughes, Esq. Posted with permission from the author. The Health Insurance Portability and Accountability Act of 1996 (HIPAA), Pub.

More information

Joseph Suchocki HIPAA Compliance 2015

Joseph Suchocki HIPAA Compliance 2015 Joseph Suchocki HIPAA Compliance 2015 Sponsored by Eagle Associates, Inc. Eagle Associates provides compliance services for over 1,200 practices nation wide. Services provided by Eagle Associates address

More information

C.T. Hellmuth & Associates, Inc.

C.T. Hellmuth & Associates, Inc. Technical Monograph C.T. Hellmuth & Associates, Inc. Technical Monographs usually are limited to only one subject which is treated in considerably more depth than is possible in our Executive Newsletter.

More information

Solution Brief for HIPAA HIPAA. Publication Date: Jan 27, 2015. EventTracker 8815 Centre Park Drive, Columbia MD 21045

Solution Brief for HIPAA HIPAA. Publication Date: Jan 27, 2015. EventTracker 8815 Centre Park Drive, Columbia MD 21045 Publication Date: Jan 27, 2015 8815 Centre Park Drive, Columbia MD 21045 HIPAA About delivers business critical software and services that transform high-volume cryptic log data into actionable, prioritized

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT THIS HIPAA BUSINESS ASSOCIATE AGREEMENT ( BAA ) is entered into effective the day of, 20 ( Effective Date ), by and between the Regents of the University of Michigan,

More information

How Managed File Transfer Addresses HIPAA Requirements for ephi

How Managed File Transfer Addresses HIPAA Requirements for ephi How Managed File Transfer Addresses HIPAA Requirements for ephi 1 A White Paper by Linoma Software INTRODUCTION As the healthcare industry transitions from primarily using paper documents and patient charts

More information

Medical Privacy Version 2015.12.10 - Standard. Business Associate Agreement. 1. Definitions

Medical Privacy Version 2015.12.10 - Standard. Business Associate Agreement. 1. Definitions Medical Privacy Version 2015.12.10 - Standard Business Associate Agreement This Business Associate Agreement (the Agreement ) shall apply to the extent that the Lux Scientiae HIPAA Customer signee is a

More information

ARTICLE 14 INFORMATION PRIVACY AND SECURITY PROVISIONS

ARTICLE 14 INFORMATION PRIVACY AND SECURITY PROVISIONS A. This Article is intended to protect the privacy and security of specified County information that Contractor may receive, access, or transmit, under this Agreement. The County information covered under

More information

Vermont Information Technology Leaders

Vermont Information Technology Leaders Vermont Information Technology Leaders HIPAA COMPLIANCE POLICIES AND PROCEDURES Policy Number: InfoSec 1 Policy Title: Information Privacy and Security Management Process IDENT INFOSEC1 Type of Document:

More information

Visa Inc. HIPAA Privacy and Security Policies and Procedures

Visa Inc. HIPAA Privacy and Security Policies and Procedures Visa Inc. HIPAA Privacy and Security Policies and Procedures Originally Effective April 14, 2003 (HIPAA Privacy) And April 21, 2005 (HIPAA Security) Further Amended Effective February 17, 2010, Unless

More information

STANDARD ADMINISTRATIVE PROCEDURE

STANDARD ADMINISTRATIVE PROCEDURE STANDARD ADMINISTRATIVE PROCEDURE 16.99.99.M0.26 Investigation and Response to Breach of Unsecured Protected Health Information (HITECH) Approved October 27, 2014 Next scheduled review: October 27, 2019

More information

The second section of the HIPAA Security Rule is related to physical safeguards. Physical safeguards are physical measures, policies and procedures

The second section of the HIPAA Security Rule is related to physical safeguards. Physical safeguards are physical measures, policies and procedures The second section of the HIPAA Security Rule is related to physical safeguards. Physical safeguards are physical measures, policies and procedures to protect and secure a covered entity s electronic information

More information

HIPAA Security Education. Updated May 2016

HIPAA Security Education. Updated May 2016 HIPAA Security Education Updated May 2016 Course Objectives v This computer-based learning course covers the HIPAA, HITECH, and MSHA Privacy and Security Program which includes relevant Information Technology(IT)

More information

MAX Insight. HIPAA Hardening & Configuration Guide for MSP s

MAX Insight. HIPAA Hardening & Configuration Guide for MSP s MAX Insight Whitepaper HIPAA Hardening & Configuration Guide for MSP s Detailed advice and recommendations on how to properly setup and configure the MAXfocus product platform for usage within HIPAA compliancy

More information

WHITEPAPER XMEDIUSFAX CLOUD FOR HEALTHCARE AND HIPAA COMPLIANCE

WHITEPAPER XMEDIUSFAX CLOUD FOR HEALTHCARE AND HIPAA COMPLIANCE WHITEPAPER XMEDIUSFAX CLOUD FOR HEALTHCARE AND HIPAA COMPLIANCE INTRODUCTION The healthcare industry is driven by many specialized documents. Each day, volumes of critical information are sent to and from

More information

Authorized. User Agreement

Authorized. User Agreement Authorized User Agreement CareAccord Health Information Exchange (HIE) Table of Contents Authorized User Agreement... 3 CareAccord Health Information Exchange (HIE) Polices and Procedures... 5 SECTION

More information

2011 2012 Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec.

2011 2012 Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec. The OCR Auditors are coming - Are you next? What to Expect and How to Prepare On June 10, 2011, the U.S. Department of Health and Human Services Office for Civil Rights ( OCR ) awarded KPMG a $9.2 million

More information

University Healthcare Physicians Compliance and Privacy Policy

University Healthcare Physicians Compliance and Privacy Policy Page 1 of 11 POLICY University Healthcare Physicians (UHP) will enter into business associate agreements in compliance with the provisions of the Health Insurance Portability and Accountability Act of

More information

Please Read. Apgar & Associates, LLC apgarandassoc.com P. O. Box 80278 Portland, OR 97280 503-384-2538 877-376-1981 503-384-2539 Fax

Please Read. Apgar & Associates, LLC apgarandassoc.com P. O. Box 80278 Portland, OR 97280 503-384-2538 877-376-1981 503-384-2539 Fax Please Read This business associate audit questionnaire is part of Apgar & Associates, LLC s healthcare compliance resources, Copyright 2014. This questionnaire should be viewed as a tool to aid in evaluating

More information

HIPAA Compliance (DSHS and HCA) Preamble: This section of the Contract is the Business Associate Agreement as

HIPAA Compliance (DSHS and HCA) Preamble: This section of the Contract is the Business Associate Agreement as HIPAA Compliance (DSHS and HCA) Preamble: This section of the Contract is the Business Associate Agreement as required by HIPAA. 1. Definitions. a. Business Associate, as used in this Contract, means the

More information

University of Illinois at Chicago Health Sciences Colleges Information Technology Group Security Policies Summary

University of Illinois at Chicago Health Sciences Colleges Information Technology Group Security Policies Summary University of Illinois at Chicago Health Sciences Colleges Information Technology Group Security Policies Summary This Summary was prepared March 2009 by Ian Huggins prior to HSC adoption of the most recent

More information

OCRA Spring Convention ~ 2014 Phyllis Craver Lykken, RPR, CLR, CCR 2463. Court Reporters and HIPAA

OCRA Spring Convention ~ 2014 Phyllis Craver Lykken, RPR, CLR, CCR 2463. Court Reporters and HIPAA Court Reporters and HIPAA OCRA Spring Convention ~ 2014 Phyllis Craver Lykken, RPR, CLR, CCR 2463 1 What Exactly is HIPAA? HIPAA is an acronym for the Health Insurance Portability and Accountability Act

More information

Privacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by:

Privacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by: HIPAA Privacy Officer Orientation Presented by: Cathy Montgomery, RN Privacy Officer Job Description Serve as leader Develop Policies and Procedures Train staff Monitor activities Manage Business Associates

More information

HIPAA PRIVACY AND SECURITY FOR EMPLOYERS

HIPAA PRIVACY AND SECURITY FOR EMPLOYERS HIPAA PRIVACY AND SECURITY FOR EMPLOYERS Agenda Background and Enforcement HIPAA Privacy and Security Rules Breach Notification Rules HPID Number Why Does it Matter HIPAA History HIPAA Title II Administrative

More information

BUSINESS ASSOCIATE ADDENDUM

BUSINESS ASSOCIATE ADDENDUM BUSINESS ASSOCIATE ADDENDUM This Business Associate Addendum ( Addendum ) adds to and is made a part of the Q- global Subscription and License Agreement by and between NCS Pearson, Inc. ( Business Associate

More information

UT Health Science Center

UT Health Science Center UT Health Science Center Doc. Version: 1.0 Page 1 of 30 Revision Revised by: C. Moffitt Date: Anthony A. Ferrara, C.P.A., M.A.S. UNIVERSITY OF TENNESSEE HEALTH SCIENCE CENTER (UTHSC) HIPAA PRIVACY AND

More information

Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and

Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and procedures to govern who has access to electronic protected

More information

HIPAA SECURITY RULES FOR IT: WHAT ARE THEY?

HIPAA SECURITY RULES FOR IT: WHAT ARE THEY? HIPAA SECURITY RULES FOR IT: WHAT ARE THEY? HIPAA is a huge piece of legislation. Only a small portion of it applies to IT providers in healthcare; mostly the Security Rule. The HIPAA Security Rule outlines

More information

District of Columbia Health Information Exchange Policy and Procedure Manual

District of Columbia Health Information Exchange Policy and Procedure Manual District of Columbia Health Information Exchange Policy and Procedure Manual HIPAA Privacy & Direct Privacy Policies (Version 1 November 27, 2012) Table of Contents Policy # Policy/Procedure Description

More information