Laptops, Tablets, Smartphones and HIPAA: An Action Plan to Protect your Practice

Size: px
Start display at page:

Download "Laptops, Tablets, Smartphones and HIPAA: An Action Plan to Protect your Practice"

Transcription

1 Laptops, Tablets, Smartphones and HIPAA: An Action Plan to Protect your Practice

2 Agenda Learning objectives for this session Fundamentals of Mobile device use and correlation to HIPAA compliance HIPAA Privacy and Security from a medical practice perspective Practical safeguards behind these policies and procedures Appropriate policies and procedures for compliance and good business practices

3 Learning objectives Understand the current HIPAA compliance enforcement environment related to mobile devices Recognize the most vulnerable aspects of a practice s mobile technology Identify practical and actionable security policies and procedures Appreciate the critical steps that practice professionals must take to protect mobile devices and their practices

4 Fundamentals-the core HIPAA issue Protecting and safeguarding ephi (Protected health information) that is created, maintained, stored or transmitted Laptops, tablets and smartphones can be used for ephi Your practice may utilize other mobile devices as well

5 Fundamentals-mobile devices The expanding list of mobile or portable devices or ephi points of access: Digital Recorders USB media (Flash, Hard Drives, Cards, etc) Portable/wearable Medical Devices

6 Fundamentals-mobile use cases The expanding list of mobile or portable devices or ephi points of access also drives new ephi disclosures! For example the near indispensible use of a smartphone also encourages use of social media This in turn has increased the opportunity to inadvertently or intentionally disclose ephi (posting about a patient for example) or the case of a picture of an office that was sent via Instagram

7 Fundamentals-system paradigm shift VPN An old standard that evolves consistently Cloud An emerging standard that is misunderstood Website Often there are access portals to data, systems or website controls Hosted Applications Internal, Web based or Cloud Hosted offer a variety of new management requirements

8 Fundamentals-system paradigm shift Wi-Fi An common place technology in the public realm, but also in the corporate realm. How are Wi-Fi networks managed, who connects to them, and what other networks do they connect to? Virtual Systems VMware and Citrix; Servers, Applications and workstations Mobile Devices Physical transportation of electronic data (Ingress and Egress) outside the management purview

9 Fundamentals-system paradigm shift More computer processors (PROCS) manufactured in recent years for mobile devises than traditional desktops / workstation computers Dramatic shift from the historical manufacturing and market demand APPS and Jail-Breaking Unknown factors that contribute to vulnerabilities of mobile devices

10 Fundamentals-system paradigm shift More MalWare today being written for mobile device operating systems, specifically Android Operating Systems (OS) There is a general lack of security measures implemented for Mobile devices which make for easy targets New mobile technologies appear and are introduced with little or no oversight and are seldom identified NFC (Near Field Communication) APPs for example

11 Fundamentals-risk factors Guest Wi-Fi Public Wi-Fi Network has access to core network (No VLAN or ACL s) Corporate Wi-Fi Networks do not have proper Access Control Layers; trusted yet infected mobile device introduces Malware to core network Unidentified transportation of PHI via mobile devices USB drive, Smart Card, Digital Recorder, Tablet or Phone

12 Fundamentals-risk factors Old remote user accounts Remote Access controls are not included in HR employee policy; IT does not manage remote user access effectively or monitor for access Hijacked accounts Via a stolen device, Man in the Middle attack or Session Hijacking Stolen devices which contains PHI Devices are not encrypted, or password (security code) protected

13 Fundamentals-risk factors Insecure storage that raises threat of theft such as use in public places, storing a device in a hotel room, transport in cars or public transportation, or even home use! Lack of up to date ephi inventories and media/device inventories The increased risks associated with a bring your own device policy

14 Poll Has your practice experienced a loss or theft in the last 12 months of a: Laptop Tablet Smartphone

15 HIPAA Privacy and Security factors Medical practice use cases that are driving adoption of mobile devices for ephi include: Adoption of EHRs and Meaningful Use Adoption of HIEs and real time data exchange Adoption of the DIRECT secure messaging system Adoption of patient portals and increased patient electronic communication

16 HIPAA Privacy and Security factors Telemedicine Expansion of EHR functionality with mobile devices such as smartphones and tablets (user interfaces designed for mobility) Increased peer support for use of texting Overall increased use of mobile devices in general

17 HIPAA Privacy and Security factors The Security risks are well known and include Interception of an unsecure message or communication Loss of a device that contains data at rest including cached s, text messages or files Inadvertently sending/communicating with the wrong party Mobile malware infections that travel to the domain

18 HIPAA Privacy and Security factors These risks now have a greater Privacy implication due to the HIPAA Breach Notification rule as well as State identity theft regulations Enterprise issues in a BYOD world Standard configurations-how are these assured? Reporting of a loss or theft and follow up wiping and disabling of the device Knowing when a device is joined to your systems

19 Poll Does your practice permit the use of a personal smartphone (BYOD) or are all devices that access ephi supplied by the practice?

20 HIPAA Privacy and Security factors A critical requirement is to conduct and review a HIPAA Security Risk Analysis both for HIPAA compliance as well as Meaningful Use The use of laptops/tablets and smartphones must all be reflected on a HIPAA SRA along with the risk or threat levels

21 HIPAA Incidents-Case studies A physician who forwarded all MS Exchange to a personal Gmail account that was subsequently hacked Loss of a Smartphone with text messages regarding patient care Shoulder surfing at a Starbucks Home use and exposure of ephi when a spouse used the smartphone

22 Action Plan and Safeguards Device encryption for: Laptops Smartphones Tablets Portable devices like USB drives Encryption options: Encrypt individual files with ephi Encrypt entire device Remember-loss or theft of an encrypted device is not considered a breach

23 Poll Does your practice require encryption for all your mobile devices that contain ephi? Yes No Not Sure

24 Action Plan and Safeguards HIPAA requires device authentication Strong authentication contains multiple factors (including for mobile devices) such as: Strong and complex passwords and frequent password change Additional factors such as card swipe, fingerprint (or other biometric), or finger swipe shapes

25 Poll Does your current practice policies require a strong device password (more than just 4 characters) and at least twice yearly changes of passwords? Yes No Not Sure

26 Action Plan and Safeguards Device configuration to restrict ephi on devices such as: Limited number of s Web access only with no ephi retention Malware controls Secure technology Secure texting technology

27 Action Plan and Safeguards Device configuration to restrict and protect ephi on a devices such as: Standardized settings to limit data exposure in Bluetooth discovery mode Standardized ability to wipe a lost device (laptops and smartphones) Use of third party software for device tracking and wiping/encryption

28 Poll Does your practice use a third party mobile device management software? Yes No Not Sure

29 Action Plan and Safeguards Restricting access: Limiting the areas of your network that a portable or mobile device can access (access control layers) Role-based access defined in practice policies Staff sanction policies

30 Action Plan and Safeguards Physical security: While onsite, mobile devices should be maintained on person If not on person, device should be secured in a private or locked area While offsite, same policies apply Emphasize that devices should not be left in cars, unsecured in hospitals or homes

31 Action Plan and Safeguards Mobile devices no longer being used: Laptops, tablets, smartphones are all regularly upgraded/replaced Practices needs a policy regarding use/disposal of old devices Often given to employees for personal use Ensure that all ephi is completely removed Consider destruction

32 Action Plan and Safeguards Self-conducted mock audits: Great test of your current privacy and security environment Target highly vulnerable areas such as mobile devices Look for issues such as adherence to password and physical security policies Review results with individual staff and discuss modifications to their current behavior/actions (could include sanctions) Use audits as a practice-wide teaching opportunity

33 Action Plan and Safeguards Staff training: Specific training for use of mobile devices Periodic security reminders (staff meetings, internal newsletters) Practice volunteers must be trained Training on security when devices used remotely should also be included

34 Policy and Procedures to consider Remember that a policy and a procedure are two different documents Procedures must be detailed enough to describe how the policy is met and must be implemented as well as stay up to date and reflective of your practice to pass an OCR investigation! Policy Procedure

35 Policy and Procedures to consider Policy on ing ephi is a core consideration If ephi can be ed, procedures to describe the secure technology used (except for the new Omnibus rule exemption) Policy on texting ephi is another core consideration If ephi can be texted, procedures to describe the secure texting technology used

36 Policy and Procedures to consider Policy and Procedure on authentication controls and safeguards such as password and password changing Policy and Procedure on device data retention Policy and Procedure on not saving screen shots or other ephi to a desktop

37 Policy and Procedures to consider Policy and Procedures on public use including transport and storage and use location Policy and Procedures on home use including transport and storage and use location Policy and Procedures on social media use Policy and Procedures on proper configuration of devices Policy and Procedures on maintaining an ephi inventory

38 Policy and Procedures to consider Policy and Procedures on types of remote access controls and safeguards (VPNs etc.) Policy and Procedure on malware controls for devices Policy and Procedure on device wiping and use of third party mobile device management Policy and Procedures on firewall settings and logging of mobile device access

39 Policy and Procedures to consider Policy and Procedures on maintaining appropriate training programs: What staff are trained When they are trained, and retrained Method of training (face-to-face, webinar, book, other) Log all training activities

40 Policy and Procedures to consider Consider breach response policies and procedures for mobile devices What would you do if a mobile device was lost or stolen? Identify when it happened and what happened Begin process of notifying patients asap Notify HHS and local media asap if breach involved more than 500 individuals Ensure that P and P are reviewed, modified if necessary, and staff retrained Document every step

41 Policy and Procedures to consider Document all policies and procedures If it isn t written down, the policy doesn t exist, the procedure never happened Network with your MGMA colleagues what have they developed that you could use or reference? Consider a spreadsheet to record and track your policies and procedures Review your policies and procedures as if you were an OCR auditor

42 Poll Does your practice have a specific remote and mobile device HIPAA Security training program? Yes No Not Sure

43 HIPAA Enforcement New round of random OCR audits set to begin Enforcement is real Most of the recent press is about settlements that the OCR has reached and not the actual fine that could have been levied Examples: Laptop theft or loss where the device is not encrypted Stolen USB drive

44 Building a culture of confidentiality Emphasize to staff the importance of keeping patient data secure Get buy-in from management Discuss issue in staff communications Copyright Medical Group Management Association (MGMA ). All rights reserved.

45 Building a culture of confidentiality Explain the ramifications of unauthorized disclosures Financial expense to practice (legal, breach notification requirements, equipment replacement) Potential impact on practice reputation (patients, colleagues) Potential impact on referrals Potential government enforcement actions Include issue in performance reviews

46 Resources MGMA Resources at include: HIPAA Security Risk Analysis Toolkit Sample Notice of Privacy Practices Sample Business Associate Agreement OCR resources at include: Model notice of privacy practices Integrating Privacy and Security into your Practice ONC Guide to Privacy and Security of Health Information CMS Stage 1 Meaningful Use Core Measure 15 Conduct a security risk analysis. NIST resources at include: Guide for Conducting Risk Assessments Guide to Storage Encryption Technologies for End User Devices

47 Other solutions PrivaPlan compliance toolkits PrivaPlan conducted risk analyses or policy and procedure review/writing Contact:

48 Key take-aways Mobile devices are increasingly being used by your clinical and administrative staff They are at high risk for loss and theft Devices taken out of the practice are the most vulnerable Practices need effective policies and procedures Encryption should be considered for all mobile devices that contain ephi Staff training and re-training critical Document everything assume OCR will audit your practice tomorrow Build a culture of confidentiality within your organization and prevent problems before they happen!

49 Questions?

5 TIPS FOR HIPAA COMPLIANT MOBILE DEVICES

5 TIPS FOR HIPAA COMPLIANT MOBILE DEVICES White paper 5 TIPS FOR HIPAA COMPLIANT MOBILE DEVICES PROTECTING PHI ON PORTABLE DEVICES 2016 SecurityMetrics 5 TIPS FOR HIPAA COMPLIANT MOBILE DEVICES 1 5 TIPS FOR HIPAA COMPLIANT MOBILE DEVICES PROTECTING

More information

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information. Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information. Mobile Devices: Risks to Health Information Risks vary based on the mobile device and its use. Some risks include:

More information

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information. Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information. Mobile Devices: Risks to to Health Mobile Information Devices: Risks to Health Information Risks vary based on the

More information

Mobile Medical Devices and BYOD: Latest Legal Threat for Providers

Mobile Medical Devices and BYOD: Latest Legal Threat for Providers Presenting a live 90-minute webinar with interactive Q&A Mobile Medical Devices and BYOD: Latest Legal Threat for Providers Developing a Comprehensive Usage Strategy to Safeguard Health Information and

More information

Electronically Communicating in Compliance with HIPAA Privacy and Security Requirements. Adam H. Greene, JD, MPH Partner, Davis Wright Tremaine LLP

Electronically Communicating in Compliance with HIPAA Privacy and Security Requirements. Adam H. Greene, JD, MPH Partner, Davis Wright Tremaine LLP Electronically Communicating in Compliance with HIPAA Privacy and Security Requirements Adam H. Greene, JD, MPH Partner, Davis Wright Tremaine LLP Agenda Communicating with Patients Security Rule compliance

More information

Are You Ready for an OCR Audit? Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS. What would you do? Session Objectives

Are You Ready for an OCR Audit? Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS. What would you do? Session Objectives Are You Ready for an OCR Audit? Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS What would you do? Your organization received a certified letter sent from the Office for Civil Rights (OCR)

More information

North Carolina Health Information Management Association February 20, 2013 Chris Apgar, CISSP

North Carolina Health Information Management Association February 20, 2013 Chris Apgar, CISSP Mobile Device Management Risky Business in Healthcare North Carolina Health Information Management Association February 20, 2013 Chris Apgar, CISSP Agenda HIPAA/HITECH & Mobile Devices Breaches Federal

More information

Privacy & Security: Fundamentals of a Security Risk Analysis. Preparing for Meaningful Use Measure 15

Privacy & Security: Fundamentals of a Security Risk Analysis. Preparing for Meaningful Use Measure 15 Privacy & Security: Fundamentals of a Security Risk Analysis Preparing for Meaningful Use Measure 15 1/18/2012 Why Are We Here? Privacy and Security is a priority for ONC Consistency among Regional Extension

More information

Have you ever accessed

Have you ever accessed HIPAA and Your Mobile Devices Not taking the appropriate precautions can be very costly. 99 BY MARK TERRY Alexey Poprotskiy Dreamstime.com Have you ever accessed patient data offsite using a laptop computer,

More information

Overview of the HIPAA Security Rule

Overview of the HIPAA Security Rule Office of the Secretary Office for Civil Rights () Overview of the HIPAA Security Rule Office for Civil Rights Region IX Alicia Cornish, EOS Sheila Fischer, Supervisory EOS Topics Upon completion of this

More information

Electronic Communication In Your Practice. How To Use Email & Mobile Devices While Maintaining Compliance & Security

Electronic Communication In Your Practice. How To Use Email & Mobile Devices While Maintaining Compliance & Security Electronic Communication In Your Practice How To Use Email & Mobile Devices While Maintaining Compliance & Security Agenda 1 HIPAA and Electronic Communication 2 3 4 Using Email In Your Practice Mobile

More information

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions Table of Contents Understanding HIPAA Privacy and Security... 1 What

More information

Cyber Security in the Mobile Era KEEPING ENTERPRISE DATA SAFE IN THE BYOD ERA.

Cyber Security in the Mobile Era KEEPING ENTERPRISE DATA SAFE IN THE BYOD ERA. Cyber Security in the Mobile Era KEEPING ENTERPRISE DATA SAFE IN THE BYOD ERA. What is Mobile Security? Mobile security is the protection of both personal and business information stored on and transmitted

More information

What s New with HIPAA? Policy and Enforcement Update

What s New with HIPAA? Policy and Enforcement Update What s New with HIPAA? Policy and Enforcement Update HHS Office for Civil Rights New Initiatives Precision Medicine Initiative (PMI), including Access Guidance Cybersecurity Developer portal NICS Final

More information

Ready for an OCR Audit? Will you pass or fail an OCR security audit? Tom Walsh, CISSP

Ready for an OCR Audit? Will you pass or fail an OCR security audit? Tom Walsh, CISSP Ready for an OCR Audit? Will you pass or fail an OCR security audit? Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS What would you do? You receive a phone call from your CEO. They just received

More information

When HHS Calls, Will Your Plan Be HIPAA Compliant?

When HHS Calls, Will Your Plan Be HIPAA Compliant? When HHS Calls, Will Your Plan Be HIPAA Compliant? Petula Workman, J.D., CEBS Division Vice President Compliance Counsel Gallagher Benefit Services, Inc., Sugar Land, Texas The opinions expressed in this

More information

HIPAA Secure Now! HIPAA Security and Omnibus Rules Overview

HIPAA Secure Now! HIPAA Security and Omnibus Rules Overview HIPAA Secure Now! HIPAA Security and Omnibus Rules Overview HIPAA Risk Assessment The HIPAA Security Rule requires that a Risk Assessment be completed. The purpose of a Risk Assessment is to: identify

More information

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use Click to edit Master title style Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use Andy Petrovich, MHSA, MPH M-CEITA / Altarum Institute April 8, 2015 4/8/2015 1 1 Who is M-CEITA?

More information

Healthcare IT (HIT) Strategic Planning & Budgeting MARCH 26, 2014

Healthcare IT (HIT) Strategic Planning & Budgeting MARCH 26, 2014 Healthcare IT (HIT) Strategic Planning & Budgeting MARCH 26, 2014 Agenda Introduction / Session Overview HIT Budgeting 101 Security and Compliance EHR budgeting HIT Where Are We Going Q & A 2 Copyright

More information

HIPAA Security Risk Analysis for Meaningful Use

HIPAA Security Risk Analysis for Meaningful Use HIPAA Security Risk Analysis for Meaningful Use NOTE: Make sure your computer speakers are turned ON. Audio will be streaming through your speakers. If you do not have computer speakers, call the ACCMA

More information

A PRACTICAL GUIDE TO USING ENCRYPTION FOR REDUCING HIPAA DATA BREACH RISK

A PRACTICAL GUIDE TO USING ENCRYPTION FOR REDUCING HIPAA DATA BREACH RISK A PRACTICAL GUIDE TO USING ENCRYPTION FOR REDUCING HIPAA DATA BREACH RISK Chris Apgar Andy Nieto 2015 OVERVIEW How to get started assessing your risk What your options are how to protect PHI What s the

More information

Nine Network Considerations in the New HIPAA Landscape

Nine Network Considerations in the New HIPAA Landscape Guide Nine Network Considerations in the New HIPAA Landscape The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Omnibus Final Rule, released January 2013, introduced some significant

More information

CHIS, Inc. Privacy General Guidelines

CHIS, Inc. Privacy General Guidelines CHIS, Inc. and HIPAA CHIS, Inc. provides services to healthcare facilities and uses certain protected health information (PHI) in connection with performing these services. Therefore, CHIS, Inc. is classified

More information

Copyright 2016 State Volunteer Mutual Insurance Company. HIPAA Training for the Medical Office

Copyright 2016 State Volunteer Mutual Insurance Company. HIPAA Training for the Medical Office Copyright 2016 State Volunteer Mutual Insurance Company HIPAA Training for the Medical Office Disclaimer The information and any commentary contained in these training materials is for informational purposes

More information

HELPFUL TIPS: MOBILE DEVICE SECURITY

HELPFUL TIPS: MOBILE DEVICE SECURITY HELPFUL TIPS: MOBILE DEVICE SECURITY Privacy tips for Public Bodies/Trustees using mobile devices This document is intended to provide general advice to organizations on how to protect personal information

More information

Research Information Security Guideline

Research Information Security Guideline Research Information Security Guideline Introduction This document provides general information security guidelines when working with research data. The items in this guideline are divided into two different

More information

HIPAA Security Rule Changes and Impacts

HIPAA Security Rule Changes and Impacts HIPAA Security Rule Changes and Impacts Susan A. Miller, JD Tony Brooks, CISA, CRISC HIPAA in a HITECH WORLD American Health Lawyers Association March 22, 2013 Baltimore, MD Agenda I. Introduction II.

More information

OCR UPDATE Breach Notification Rule & Business Associates (BA)

OCR UPDATE Breach Notification Rule & Business Associates (BA) OCR UPDATE Breach Notification Rule & Business Associates (BA) Alicia Galan Supervisory Equal Opportunity Specialist March 7, 2014 HITECH OMNIBUS A Reminder of What s Included: Final Modifications of the

More information

HIPAA Requirements and Mobile Apps

HIPAA Requirements and Mobile Apps HIPAA Requirements and Mobile Apps OCR/NIST 2013 Annual Conference Adam H. Greene, JD, MPH Partner, Washington, DC Use of Smartphones and Tablets Is Growing 2 How Info Sec Sees Smartphones Easily Lost,

More information

HIPAA TRAINING. A training course for Shiawassee County Community Mental Health Authority Employees

HIPAA TRAINING. A training course for Shiawassee County Community Mental Health Authority Employees HIPAA TRAINING A training course for Shiawassee County Community Mental Health Authority Employees WHAT IS HIPAA? HIPAA is an acronym that stands for Health Insurance Portability and Accountability Act.

More information

The Security Rule of The Health Insurance Portability and Accountability Act (HIPAA) Security Training

The Security Rule of The Health Insurance Portability and Accountability Act (HIPAA) Security Training The Security Rule of The Health Insurance Portability and Accountability Act (HIPAA) Security Training Introduction The HIPAA Security Rule specifically requires training of all members of the workforce.

More information

Security Is Everyone s Concern:

Security Is Everyone s Concern: Security Is Everyone s Concern: What a Practice Needs to Know About ephi Security Mert Gambito Hawaii HIE Compliance and Privacy Officer July 26, 2014 E Komo Mai! This session s presenter is Mert Gambito

More information

Securing Patient Data in Today s Mobilized Healthcare Industry. A Good Technology Whitepaper

Securing Patient Data in Today s Mobilized Healthcare Industry. A Good Technology Whitepaper Securing Patient Data in Today s Mobilized Healthcare Industry Securing Patient Data in Today s Mobilized Healthcare Industry 866-7-BE-GOOD good.com 2 Contents Executive Summary The Role of Smartphones

More information

Network Security for End Users in Health Care

Network Security for End Users in Health Care Network Security for End Users in Health Care Virginia Health Information Technology Regional Extension Center is funded by grant #90RC0022/01 from the Office of the National Coordinator for Health Information

More information

How to Practice Safely in an era of Cybercrime and Privacy Fears

How to Practice Safely in an era of Cybercrime and Privacy Fears How to Practice Safely in an era of Cybercrime and Privacy Fears Christina Harbridge INFORMATION PROTECTION SPECIALIST Information Security The practice of defending information from unauthorised access,

More information

Conducting a HIPAA Security Risk Analysis For MEANINGFUL USE, HIPAA Compliance and Good Business Practice. Presented for ICAHN by David A.

Conducting a HIPAA Security Risk Analysis For MEANINGFUL USE, HIPAA Compliance and Good Business Practice. Presented for ICAHN by David A. Conducting a HIPAA Security Risk Analysis For MEANINGFUL USE, HIPAA Compliance and Good Business Practice Presented for ICAHN by David A. Ginsberg Agenda Deep Dive into the 15 th Core Objective Conducting

More information

Can Your Diocese Afford to Fail a HIPAA Audit?

Can Your Diocese Afford to Fail a HIPAA Audit? Can Your Diocese Afford to Fail a HIPAA Audit? PETULA WORKMAN & PHIL BUSHNELL MAY 2016 2016 ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS Agenda Overview Privacy Security Breach Notification Miscellaneous

More information

What Are The Odds Of a HIPAA Audit?

What Are The Odds Of a HIPAA Audit? What Are The Odds Of a HIPAA Audit? 1 Random Odds The law Outline Why is enforcement up? What types of audits and what causes them Examples of enforcement What can you do to avoid audits and fines 2 3

More information

How to use the Alertsec Service to Achieve HIPAA Compliance for Your Organization

How to use the Alertsec Service to Achieve HIPAA Compliance for Your Organization How to use the Alertsec Service to Achieve HIPAA Compliance for Your Organization Alertsec offers Cloud Managed - Policy Controlled - Security Modules for Ensuring Compliance at the Endpoints Contents

More information

HIPAA Myths. WEDI Regional Affiliates. Chris Apgar, CISSP Apgar & Associates

HIPAA Myths. WEDI Regional Affiliates. Chris Apgar, CISSP Apgar & Associates HIPAA Myths WEDI Regional Affiliates Chris Apgar, CISSP Apgar & Associates Overview Missed Regulatory Requirements Common HIPAA Privacy Myths Common HIPAA Security Myths Other Related Myths Finding the

More information

HIPAA MYTHS: DON T ALWAYS BELIEVE WHAT YOU HEAR. Chris Apgar, CISSP

HIPAA MYTHS: DON T ALWAYS BELIEVE WHAT YOU HEAR. Chris Apgar, CISSP HIPAA MYTHS: DON T ALWAYS BELIEVE WHAT YOU HEAR Chris Apgar, CISSP 2015 OVERVIEW Missed Regulatory Requirements Common HIPAA Privacy Myths Common HIPAA Security Myths Other Related Myths Finding the Right

More information

Top Ten Technology Risks Facing Colleges and Universities

Top Ten Technology Risks Facing Colleges and Universities Top Ten Technology Risks Facing Colleges and Universities Chris Watson, MBA, CISA, CRISC Manager, Internal Audit and Risk Advisory Services cwatson@schneiderdowns.com April 23, 2012 Overview Technology

More information

plantemoran.com What School Personnel Administrators Need to know

plantemoran.com What School Personnel Administrators Need to know plantemoran.com Data Security and Privacy What School Personnel Administrators Need to know Tomorrow s Headline Let s hope not District posts confidential data online (Tech News, May 18, 2007) In one of

More information

Dell s Five Best Practices for Maximizing Mobility Benefits while Maintaining Compliance with Data Security and Privacy Regulations

Dell s Five Best Practices for Maximizing Mobility Benefits while Maintaining Compliance with Data Security and Privacy Regulations Dell s Five Best Practices for Maximizing Mobility Benefits while Maintaining Compliance with Data Security and Privacy Regulations Inside ü Tips for deploying or expanding BYOD programs while remaining

More information

Part 14: USB Port Security 2015

Part 14: USB Port Security 2015 Part 14: USB Port Security This article is part of an information series provided by the American Institute of Healthcare Compliance in response to questions we receive related to Meaningful Use and CEHRT

More information

HIPAA: Protecting Your. Ericka L. Adler. Practice and Your Patients

HIPAA: Protecting Your. Ericka L. Adler. Practice and Your Patients HIPAA: Protecting Your Ericka L. Adler Practice and Your Patients Rachel V. Rose Fallout from the Omnibus Rule Compliance strategies for medical practices 1. Know / manage your business associates and

More information

Art Gross President & CEO HIPAA Secure Now! How to Prepare for the 2015 HIPAA Audits and Avoid Data Breaches

Art Gross President & CEO HIPAA Secure Now! How to Prepare for the 2015 HIPAA Audits and Avoid Data Breaches Art Gross President & CEO HIPAA Secure Now! How to Prepare for the 2015 HIPAA Audits and Avoid Data Breaches Speakers Phillip Long CEO at Business Information Solutions Art Gross President & CEO of HIPAA

More information

The Impact of HIPAA and HITECH

The Impact of HIPAA and HITECH The Health Insurance Portability & Accountability Act (HIPAA), enacted 8/21/96, was created to protect the use, storage and transmission of patients healthcare information. This protects all forms of patients

More information

Data Protection Act 1998. Bring your own device (BYOD)

Data Protection Act 1998. Bring your own device (BYOD) Data Protection Act 1998 Bring your own device (BYOD) Contents Introduction... 3 Overview... 3 What the DPA says... 3 What is BYOD?... 4 What are the risks?... 4 What are the benefits?... 5 What to consider?...

More information

Supplier Information Security Addendum for GE Restricted Data

Supplier Information Security Addendum for GE Restricted Data Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,

More information

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE How to Use this Assessment The following risk assessment provides you with a series of questions to help you prioritize the development and implementation

More information

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011 Nationwide Review of CMS s HIPAA Oversight Brian C. Johnson, CPA, CISA Wednesday, January 19, 2011 1 WHAT I DO Manage Region IV IT Audit and Advance Audit Technique Staff (AATS) IT Audit consists of 8

More information

Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style.

Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style. Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style March 27, 2013 www.mcguirewoods.com Introductions Holly Carnell McGuireWoods LLP

More information

Data Security in the Insurance Industry: WHAT YOU NEED TO KNOW

Data Security in the Insurance Industry: WHAT YOU NEED TO KNOW Data Security in the Insurance Industry: WHAT YOU NEED TO KNOW Lock Down That Data Today, some insurance professionals store or share terabytes of electronic information, some of which is sensitive personal

More information

Mobile security and your EMR. Presented by: Shawn Tester & Allen Cornwall

Mobile security and your EMR. Presented by: Shawn Tester & Allen Cornwall Mobile security and your EMR Presented by: Shawn Tester & Allen Cornwall Date: October 14, 2011 Overview General Security Challenges & best practices Mobile EMR interfaces - EMR Access - Today & Future

More information

Why Lawyers? Why Now?

Why Lawyers? Why Now? TODAY S PRESENTERS Why Lawyers? Why Now? New HIPAA regulations go into effect September 23, 2013 Expands HIPAA safeguarding and breach liabilities for business associates (BAs) Lawyer is considered a business

More information

HIPAA compliance audit: Lessons learned apply to dental practices

HIPAA compliance audit: Lessons learned apply to dental practices HIPAA compliance audit: Lessons learned apply to dental practices Executive summary In 2013, the Health Insurance Portability and Accountability Act (HIPAA) of 1996 Omnibus Rule put healthcare providers

More information

Data Security Considerations for Research

Data Security Considerations for Research Data Security Considerations for Research Institutional Review Board Annual Education May 8, 2012 1 PRIVACY vs. SECURITY What s the Difference?: PRIVACY Refers to WHAT is protected Health information about

More information

Safeguarding Privacy on Mobile Devices

Safeguarding Privacy on Mobile Devices i Safeguarding Privacy on Mobile Devices www.ipc.on.ca Table of Contents Introduction 1 Tips for Safeguarding Mobile Devices 3 Checklist 4 Further Resources 8 Safeguarding Privacy on Mobile Devices Introduction

More information

Mobile Device Security

Mobile Device Security Mobile Device Security Presented by Kelly Wilson Manager of Information Security, LCF Research New Mexico Health Information Collaborative (NMHIC) and the New Mexico Health Information Technology Regional

More information

HIPAA Requirements and Mobile Apps

HIPAA Requirements and Mobile Apps HIPAA Requirements and Mobile Apps 2014 HCCA Compliance Institute Adam H. Greene, JD, MPH Partner, Washington, DC Use of Smartphones and Tablets Is Growing 2 How Info Security Sees Smartphones Easily Lost,

More information

HIPAA Requirements and Mobile Apps

HIPAA Requirements and Mobile Apps HIPAA Requirements and Mobile Apps 2014 HCCA Compliance Institute Adam H. Greene, JD, MPH Partner, Washington, DC Use of Smartphones and Tablets Is Growing 2 20993049v2 1 How Info Security Sees Smartphones

More information

ONE DEVICE TO RULE THEM ALL! AUDITING MOBILE DEVICES / BYOD NSAA IT CONFERENCE OCTOBER 2, 2014

ONE DEVICE TO RULE THEM ALL! AUDITING MOBILE DEVICES / BYOD NSAA IT CONFERENCE OCTOBER 2, 2014 ONE DEVICE TO RULE THEM ALL! 1993 2013 1 AUDITING MOBILE DEVICES / BYOD NSAA IT CONFERENCE OCTOBER 2, 2014 2 1 AGENDA Mobile Devices / Smart Devices Implementation Models Risks & Threats Audit Program

More information

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER With technology everywhere we look, the technical safeguards required by HIPAA are extremely important in ensuring that our information

More information

HIPAA Training for Staff and Volunteers

HIPAA Training for Staff and Volunteers HIPAA Training for Staff and Volunteers Objectives Explain the purpose of the HIPAA privacy, security and breach notification regulations Name three patient privacy rights Discuss what you can do to help

More information

Authorized. User Agreement

Authorized. User Agreement Authorized User Agreement CareAccord Health Information Exchange (HIE) Table of Contents Authorized User Agreement... 3 CareAccord Health Information Exchange (HIE) Polices and Procedures... 5 SECTION

More information

Introduction to Building and Governing Your HIPAA Compliance Program. June 28, 2016

Introduction to Building and Governing Your HIPAA Compliance Program. June 28, 2016 Introduction to Building and Governing Your HIPAA Compliance Program June 28, 2016 This Webinar is Brought to You By. About HealthInsight and Mountain-Pacific Quality Health HealthInsight and Mountain-Pacific

More information

Cyber Self Assessment

Cyber Self Assessment Cyber Self Assessment According to Protecting Personal Information A Guide for Business 1 a sound data security plan is built on five key principles: 1. Take stock. Know what personal information you have

More information

HIPAA Update. Presented by: Melissa M. Zambri. June 25, 2014

HIPAA Update. Presented by: Melissa M. Zambri. June 25, 2014 HIPAA Update Presented by: Melissa M. Zambri June 25, 2014 Timeline of New Rules 2/17/09 - Stimulus Package Enacted 8/24/09 - Interim Final Rule on Breach Notification 10/7/09 - Proposed Rule Regarding

More information

PREP Course #25: Hot Topics in Cyber Security and Database Security. Presented by: Joe Baskin Manager, Information Security, OCIO JBaskin@nshs.

PREP Course #25: Hot Topics in Cyber Security and Database Security. Presented by: Joe Baskin Manager, Information Security, OCIO JBaskin@nshs. PREP Course #25: Hot Topics in Cyber Security and Database Security Presented by: Joe Baskin Manager, Information Security, OCIO JBaskin@nshs.edu Objectives Discuss hot topics in cyber security and database

More information

COPIC INSIGHT: DATA BREACHES

COPIC INSIGHT: DATA BREACHES COPIC INSIGHT: DATA BREACHES SEPTEMBER 2015 COPIC INSIGHT is a new, exclusive resource for COPIC-insured individuals, practices, and facilities. It provides insight on a timely issue in health care, along

More information

Human Subject Research: HIPAA Privacy and Security. Human Research Academy 101

Human Subject Research: HIPAA Privacy and Security. Human Research Academy 101 Human Subject Research: HIPAA Privacy and Security Human Research Academy 101 Your Enterprise Privacy Officer Christine Adams, CHC, CHPC Enterprise Privacy Officer Compliance & Enterprise Risk Management

More information

Compliance Challenges. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard. Increased Audits & On-site Investigations

Compliance Challenges. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard. Increased Audits & On-site Investigations Enabling a HITECH & HIPAA Compliant Organization: Addressing Meaningful Use Mandates & Ensuring Audit Readiness Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard Compliance Mandates Increased

More information

Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE

Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE [ Hosting for Healthcare: Addressing the Unique Issues of Health IT & Achieving End-to-End Compliance

More information

HIPAA Security Alert

HIPAA Security Alert Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information

More information

SUBJECT: Effective Date Policy Number Security of Mobile Computing, Data Storage, and Communication Devices

SUBJECT: Effective Date Policy Number Security of Mobile Computing, Data Storage, and Communication Devices SUBJECT: Effective Date Policy Number Security of Mobile Computing, Data Storage, and Communication Devices 8-27-2015 4-007.1 Supersedes 4-007 Page Of 1 5 Responsible Authority Vice Provost for Information

More information

2011 2012 Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec.

2011 2012 Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec. The OCR Auditors are coming - Are you next? What to Expect and How to Prepare On June 10, 2011, the U.S. Department of Health and Human Services Office for Civil Rights ( OCR ) awarded KPMG a $9.2 million

More information

HIPAA: Bigger and More Annoying

HIPAA: Bigger and More Annoying HIPAA: Bigger and More Annoying Instructor: Laney Kay, JD Contact information: 4640 Hunting Hound Lane Marietta, GA 30062 (770) 312-6257 (770) 998-9204 (fax) laney@laneykay.com www.laneykay.com OFFICIAL

More information

COMMONWEALTH OF PENNSYLVANIA DEPARTMENT S OF PUBLIC WELFARE, INSURANCE AND AGING

COMMONWEALTH OF PENNSYLVANIA DEPARTMENT S OF PUBLIC WELFARE, INSURANCE AND AGING COMMONWEALTH OF PENNSYLVANIA DEPARTMENT S OF PUBLIC WELFARE, INSURANCE AND AGING INFORMATION TECHNOLOGY STANDARD Name Of Standard: Mobile Device Standard Domain: Security Date Issued: 09/07/2012 Date Revised:

More information

Welcome to ChiroCare s Fourth Annual Fall Business Summit. October 3, 2013

Welcome to ChiroCare s Fourth Annual Fall Business Summit. October 3, 2013 Welcome to ChiroCare s Fourth Annual Fall Business Summit October 3, 2013 HIPAA Compliance Regulatory Overview & Implementation Tips for Providers Agenda Green packet Overview of general HIPAA terms and

More information

Cyber Security. John Leek Chief Strategist

Cyber Security. John Leek Chief Strategist Cyber Security John Leek Chief Strategist AGENDA The Changing Business Landscape Acknowledge cybersecurity as an enterprise-wide risk management issue not just an IT issue How to develop a cybersecurity

More information

Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance

Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance Iliana Peters, JD, LLM, HHS Office for Civil Rights Kevin

More information

Joseph Suchocki HIPAA Compliance 2015

Joseph Suchocki HIPAA Compliance 2015 Joseph Suchocki HIPAA Compliance 2015 Sponsored by Eagle Associates, Inc. Eagle Associates provides compliance services for over 1,200 practices nation wide. Services provided by Eagle Associates address

More information

8/3/2015. Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice

8/3/2015. Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice Monday, August 3, 2015 1 How to ask a question during the webinar If you dialed in to this webinar on your phone

More information

Mobile Devices in Healthcare: Managing Risk. June 2012

Mobile Devices in Healthcare: Managing Risk. June 2012 Mobile Devices in Healthcare: Managing Risk June 2012 1 Table of Contents Introduction 3 Mobile Device Risks 4 Managing Risks and Complexities 5 Emerging Solutions 7 Conclusion 7 References 8 About the

More information

HIPAA Security Rule Safeguards Recommended Standards Developed by: USF HIPAA Security Team May 12, 2005

HIPAA Security Rule Safeguards Recommended Standards Developed by: USF HIPAA Security Team May 12, 2005 INTRODUCTION HIPAA Security Rule Safeguards Recommended Standards Developed by: USF HIPAA Security Team May 12, 2005 The Health Insurance Portability and Accountability Act (HIPAA) Security Rule, as a

More information

= AUDIO. The Importance of Mobile Device Management in HIT. An Important Reminder. Mission of OFMQ 12/9/2015

= AUDIO. The Importance of Mobile Device Management in HIT. An Important Reminder. Mission of OFMQ 12/9/2015 The Importance of Mobile Device Management in HIT Mario Cruz OFMQ Chief Information Officer An Important Reminder For audio, you must use your phone: Step 1: Call (866) 906 0123. Step 2: Enter code 2071585#.

More information

Solutions Brief. PC Encryption Regulatory Compliance. Meeting Statutes for Personal Information Privacy. Gerald Hopkins Cam Roberson

Solutions Brief. PC Encryption Regulatory Compliance. Meeting Statutes for Personal Information Privacy. Gerald Hopkins Cam Roberson Solutions Brief PC Encryption Regulatory Compliance Meeting Statutes for Personal Information Privacy Gerald Hopkins Cam Roberson March, 2013 Personal Information at Risk Legislating the threat Since the

More information

An Independent Member of Baker Tilly International

An Independent Member of Baker Tilly International Healthcare Security and Compliance July 23, 2015 Presenters Kelley Miller, CISA, CISM - Principal Kelley.Miller@mcmcpa.com Barbie Thomas, MBA, CHC Barbie.Thomas@mcmcpa.com 2 Agenda Introductions Cybersecurity

More information

HIPAA Workshop Ensuring PHI: Creating a Comprehensive Office Policy

HIPAA Workshop Ensuring PHI: Creating a Comprehensive Office Policy HIPAA Workshop Ensuring PHI: Creating a Comprehensive Office Policy 2014 OP User Conference Presented by: Sue Kressly, MD, FAAP and Leann DiDomenico, MBA Goal: Develop your Strategy to Ensure the Safety

More information

How Technology Executives are Managing the Shift to BYOD

How Technology Executives are Managing the Shift to BYOD A UBM TECHWEB WHITE PAPER SEPTEMBER 2012 How Technology Executives are Managing the Shift to BYOD An analysis of the benefits and hurdles of enabling employees to use their own consumer devices in the

More information

HIPAA Privacy & Breach Notification Training for System Administration Business Associates

HIPAA Privacy & Breach Notification Training for System Administration Business Associates HIPAA Privacy & Breach Notification Training for System Administration Business Associates Barbara M. Holthaus privacyofficer@utsystem.edu Office of General Counsel University of Texas System April 10,

More information

HIPAA PRIVACY AND SECURITY FOR EMPLOYERS

HIPAA PRIVACY AND SECURITY FOR EMPLOYERS HIPAA PRIVACY AND SECURITY FOR EMPLOYERS Agenda Background and Enforcement HIPAA Privacy and Security Rules Breach Notification Rules HPID Number Why Does it Matter HIPAA History HIPAA Title II Administrative

More information

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050 BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050 Adopting Multnomah County HIPAA Security Policies and Directing the Appointment of Information System Security

More information

Sustainable Compliance: A System for Ongoing Audit Readiness

Sustainable Compliance: A System for Ongoing Audit Readiness View the Replay on YouTube Sustainable Compliance: A System for Ongoing Audit Readiness FairWarning Executive Webinar Series November 14, 2013 Agenda Sustainable Compliance at St. Charles Health System

More information

Tuesday, June 5, 12. Mobile Device Usage

Tuesday, June 5, 12. Mobile Device Usage Mobile Device Usage Remeber This? The original, live presentation included the embedded video below: http://www.youtube.com/watch?v=bo-nft2mohi A Changing Industry Proliferation of Smart Phones and Tablets.

More information

HIPAA Compliance Tune-Up for Are You Prepared?

HIPAA Compliance Tune-Up for Are You Prepared? HIPAA Compliance Tune-Up for 2016 Are You Prepared? Speakers Michael Flavin Senior Product Marketing Manager efax Corporate, Part of j2 Cloud Services 2 Agenda 1 Why HIPAA Enforcement Will Get Stronger

More information

Meaningful Use and Core Requirement 15

Meaningful Use and Core Requirement 15 Meaningful Use and Core Requirement 15 How can I comply the lack of time and staff... www.compliancygroup.com 1 Meaningful Use and Core Requirement 15 Meaningful Use Protection of Protected Health Information

More information