Are You Prepared for a HIPAA Audit? 7 Steps to Security Readiness GUIDE BOOK

Save this PDF as:

Size: px
Start display at page:

Download "Are You Prepared for a HIPAA Audit? 7 Steps to Security Readiness GUIDE BOOK"

Transcription

1 Are You Prepared for a HIPAA Audit? 7 Steps to Security Readiness GUIDE BOOK

2 Are You Ready? For nearly four years, official HIPAA compliance audits have been on hold. The Department of Human Services (HHS) Office for Civil Rights (OCR) conducted pilot audits from 2009 when the audits became part of the HITECH Act, until 2012 when that program ended. Since then, OCR has been silent. That all changed recently when the OCR released an updated protocol for use in phase two HIPAA compliance audits beginning this year. According to the OCR website, the revised audit protocol covers nearly 180 target areas including: Privacy rule requirements for: Notice of privacy practices for PHI Rights to request privacy protection for PHI Access of individuals to PHI Administrative requirements Uses and disclosures of PHI Amendment of PHI Accounting of disclosure Security rule requirements for administrative, physical, and technical safeguards Breach notification rule requirements 1 In an interview during the HIMSS 2016 conference, Deputy Director of Health Information Privacy Deven McGraw revealed the OCR will be conducting 200 remote desk audits focused on a subset of HIPAA mandates along with 10 to 25 full scale on-site audits. 2 Should you be one of the selected entities, are you prepared for the intense scrutiny of an OCR HIPAA audit? Whether gearing up for an official audit or simply looking to upgrade your organizational security program, preparing for a potential OCR investigation can provide an effective security roadmap. 1 HHS.gov Health Information Privacy web page 2 OCR Releases New HIPAA Audit Protocol, by Marianne Kolbasuk McGee, Healthcare Info Security, ISMG Network, April 5,

3 Here are seven steps you can take to enhance your preparedness: 1. Develop Your Strategy Most organizations have a Compliance Department that s responsible for HIPAA policies and processes involving PHI access and usage. In order to guide this group, your organization should start with an overall corporate strategy that addresses every aspect of compliance. The strategy should center on securing and encrypting PHI at three stages: data sending, data receiving, and data at rest. You need to be able to prove to auditors that you have effective firewalls surrounding all EMR systems during all three phases. A comprehensive strategy provides the framework to build your overall compliance program. 2. Implement a Monitoring Program To ensure security of PHI, many organizations have implemented surveillance of all information moving in and out of the organization. Setting up filters for key phrases can capture communication that contains or refers to PHI and alert the compliance group to private information that may be going outside your organization s walls. Compliance can then follow up with the individuals involved to investigate and resolve the issue. 3

4 3. Tighten Your User Account Management During any review, auditors will look at every application that contains PHI and how that information is accessed. Questions they will ask include: Does the person have rights to get to the records they are accessing? Do they require a user name and password? Do they have a reason to be in that record? - Are they providing direct patient care, consultation services, or are they doing billing? Does each user have an assigned security level based on job type and responsibilities that determines how far and how much information they can get to? There should be a time stamp system that documents who has accessed the system at every point. Limit access on an as needed basis and be able to prove those controls to the auditor. There should be very few people with access to the entire system. You also need to be able to show that you are expiring accounts appropriately. Implement a process for deactivating accounts of terminated employees and ensuring the account privileges of contract employees get terminated at the end of their engagement. To ensure audit compliance for system access, run reports daily on system access activity. Managers should receive a report yearly detailing all employees that have access to clinical information and be required to validate whether each individual still needs access to the system. If they can t prove that they need access, they should be removed from the list. Auditors want to see that there is constant surveillance of access protocol so you need to put systems in place to make sure that is happening on a regular basis. 4

5 4. Protect Your Desktops Auditors understand that one of the most vulnerable points of any security system is the desktop so that should be a particular security focus area. Every desktop computer that has a hard drive should be encrypted and every USB port must be blocked. Any clinical workstation that might have PHI must be protected. Other ways to secure your desktops include deploying virtualization to eliminate all hard drives, instituting strong password requirements, using dual authentication, and utilizing obscure screen, auto logoff, step down PINs, and re-authentication windows. Implementing single sign on (SSO) allows you to mitigate multiple applications and the passwords behind the scenes so you re not exposing them to anyone. 5. Implement an Internal Auditing Program An effective way to ensure you are ready for a third party audit is to implement a multi-level internal audit program. The Compliance team will conduct audits on a real-time interval basis. Network and Desktop services groups should regularly audit their IT systems to ensure all passwords are appropriate and all patches are up to date to protect against both internal and external attacks or viruses. Performing unannounced internal audits is one of the best ways to ensure that your organizational processes are documented and being followed. Conducting annual intrusion testing is another effective way to determine that you are ready for an external audit. Some organizations have security teams that hire hackers to come in and see how far they can get into the system to evaluate whether they are appropriately handling system security. 5

6 6. Highlight Exceptions A key element of your internal audits is to highlight exceptions that you uncover. Run reports on activity in every environment to confirm that all the security measures you ve implemented are in place. Exceptions or findings should be listed and investigated so you can initiate appropriate corrective actions. Develop a monthly security dashboard to share active security projects, as well as discovered vulnerabilities and how they are being addressed. This information should be reported to senior management and the board of directors. Showing external auditors that you re being completely transparent when it comes to security is an important step in successfully passing an audit. 7. Stay Vigilant Preparing for a HIPAA audit is not a static, one time event. There needs to be an ongoing process of checking and follow up. In today s environment where security has taken on such prominence, your organization must be in a constant state of surveillance. The number of attacks on healthcare systems has increased to a level where you can t lower your guard at any time. You need to constantly evaluate your system to make sure all vulnerabilities are secured. Being ever vigilant will not only help you prepare for a HIPAA audit, but more importantly, will ensure that your PHI is protected and secure. Aventura s Sympatica is a flexible, situational awareness platform for highly secure, personalized clinical desktops. Sympatica provides stand alone computer access security through two factor authentication or Pin and go capability and is an ideal solution for organizations that use control/alt/del open desktops or open desktops with no other security. Contact us to learn how we can help you improve your security program. 6

7 7 About Aventura Aventura leverages situational awareness to deliver a highly secure, personalized clinical desktop. With security, personalized desktop and interoperability functionality, Aventura s Sympatica platform is a flexible, modular offering that fits every operational need and budget. Choose from three levels of functionality to solve a specific issue or leverage all three for a complete, integrated clinical desktop solution.

8 CONTACT US Office: 1641 California Street, Suite 400 Denver, CO Phone:

Welcome to part 2 of the HIPAA Security Administrative Safeguards presentation. This presentation covers information access management, security

Welcome to part 2 of the HIPAA Security Administrative Safeguards presentation. This presentation covers information access management, security Welcome to part 2 of the HIPAA Security Administrative Safeguards presentation. This presentation covers information access management, security awareness training, and security incident procedures. The

More information

The OCR Audit Protocol a first look

The OCR Audit Protocol a first look The OCR Audit Protocol a first look On June 26, 2012, the Office for Civil Rights published its Audit Protocols for HIPAA Security, HIPAA Breach and Privacy at http://ocrnotifications.hhs.gov/hipaa.html.

More information

Overview of the HIPAA Security Rule

Overview of the HIPAA Security Rule Office of the Secretary Office for Civil Rights () Overview of the HIPAA Security Rule Office for Civil Rights Region IX Alicia Cornish, EOS Sheila Fischer, Supervisory EOS Topics Upon completion of this

More information

Can Your Diocese Afford to Fail a HIPAA Audit?

Can Your Diocese Afford to Fail a HIPAA Audit? Can Your Diocese Afford to Fail a HIPAA Audit? PETULA WORKMAN & PHIL BUSHNELL MAY 2016 2016 ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS Agenda Overview Privacy Security Breach Notification Miscellaneous

More information

2016 OCR AUDIT E-BOOK

2016 OCR AUDIT E-BOOK !! 2016 OCR AUDIT E-BOOK About BlueOrange Compliance: We specialize in healthcare information privacy and security solutions. We understand that each organization is busy running its business and that

More information

HIPAA Audits Are Here!

HIPAA Audits Are Here! HIPAA Audits Are Here! How to prepare for and what to expect when OCR comes knocking May 12, 2016 James B. Wieland, Principal, Ober Kaler Emily H. Wein, Principal, Ober Kaler David Holtzman, VP of Compliance,

More information

Nine Network Considerations in the New HIPAA Landscape

Nine Network Considerations in the New HIPAA Landscape Guide Nine Network Considerations in the New HIPAA Landscape The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Omnibus Final Rule, released January 2013, introduced some significant

More information

Are You Ready for an OCR Audit? Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS. What would you do? Session Objectives

Are You Ready for an OCR Audit? Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS. What would you do? Session Objectives Are You Ready for an OCR Audit? Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS What would you do? Your organization received a certified letter sent from the Office for Civil Rights (OCR)

More information

OCR HIPAA Security Audit Protocol a second look

OCR HIPAA Security Audit Protocol a second look OCR HIPAA Security Audit Protocol a second look On June 26, 2012, the Office for Civil Rights published its Audit Protocols for HIPAA Security, HIPAA Breach and Privacy at http://ocrnotifications.hhs.gov/hipaa.html.

More information

REMOTE ACCESS TO A HEALTHCARE FACILITY AND THE IT PROFESSIONAL S OBLIGATIONS UNDER HIPAA AND THE HITECH ACT

REMOTE ACCESS TO A HEALTHCARE FACILITY AND THE IT PROFESSIONAL S OBLIGATIONS UNDER HIPAA AND THE HITECH ACT REMOTE ACCESS TO A HEALTHCARE FACILITY AND THE IT PROFESSIONAL S OBLIGATIONS UNDER HIPAA AND THE HITECH ACT ARE YOUR AUTHENTICATION, ACCESS, AND AUDIT PARADIGMS UP TO DATE? BY KERRY ARMSTRONG, PRIVACY,

More information

Privacy and Security Meaningful Use Requirement HIPAA Readiness Review

Privacy and Security Meaningful Use Requirement HIPAA Readiness Review Privacy and Security Meaningful Use Requirement HIPAA Readiness Review REACH - Achieving - Achieving meaningful meaningful use of your use EHR of your EHR Patti Kritzberger, RHIT, CHPS ND e-health Summit

More information

Top Ten Technology Risks Facing Colleges and Universities

Top Ten Technology Risks Facing Colleges and Universities Top Ten Technology Risks Facing Colleges and Universities Chris Watson, MBA, CISA, CRISC Manager, Internal Audit and Risk Advisory Services cwatson@schneiderdowns.com April 23, 2012 Overview Technology

More information

2011 2012 Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec.

2011 2012 Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec. The OCR Auditors are coming - Are you next? What to Expect and How to Prepare On June 10, 2011, the U.S. Department of Health and Human Services Office for Civil Rights ( OCR ) awarded KPMG a $9.2 million

More information

Lessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd

Lessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd Lessons Learned from Recent HIPAA and Big Data Breaches Briar Andresen Katie Ilten Ann Ladd Recent health care breaches Breach reports to OCR as of February 2015 1,144 breaches involving 500 or more individual

More information

Privacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by:

Privacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by: HIPAA Privacy Officer Orientation Presented by: Cathy Montgomery, RN Privacy Officer Job Description Serve as leader Develop Policies and Procedures Train staff Monitor activities Manage Business Associates

More information

A HIPAA Security Incident and Investigation. It Can Happen to You.

A HIPAA Security Incident and Investigation. It Can Happen to You. A HIPAA Security Incident and Investigation. It Can Happen to You. Sandra L. Sessoms, RN, CPHQ, CHC Director, System Compliance Robert R. Michalski, CHC Chief Compliance Officer Baylor Health Care System

More information

Our Commitment to Information Security

Our Commitment to Information Security Our Commitment to Information Security What is HIPPA? Health Insurance Portability and Accountability Act 1996 The HIPAA Privacy regulations require health care providers and organizations, as well as

More information

The Impact of HIPAA and HITECH

The Impact of HIPAA and HITECH The Health Insurance Portability & Accountability Act (HIPAA), enacted 8/21/96, was created to protect the use, storage and transmission of patients healthcare information. This protects all forms of patients

More information

HIPAA and Mental Health Privacy:

HIPAA and Mental Health Privacy: HIPAA and Mental Health Privacy: What Social Workers Need to Know Presenter: Sherri Morgan, JD, MSW Associate Counsel, NASW Legal Defense Fund and Office of Ethics & Professional Review 2010 National Association

More information

How to use the Alertsec Service to Achieve HIPAA Compliance for Your Organization

How to use the Alertsec Service to Achieve HIPAA Compliance for Your Organization How to use the Alertsec Service to Achieve HIPAA Compliance for Your Organization Alertsec offers Cloud Managed - Policy Controlled - Security Modules for Ensuring Compliance at the Endpoints Contents

More information

CHIS, Inc. Privacy General Guidelines

CHIS, Inc. Privacy General Guidelines CHIS, Inc. and HIPAA CHIS, Inc. provides services to healthcare facilities and uses certain protected health information (PHI) in connection with performing these services. Therefore, CHIS, Inc. is classified

More information

ITECH Net Monitor. Standards Compliance

ITECH Net Monitor. Standards Compliance If you rely on your IT infrastructure to maintain data integrity and protect your business from financial losses, it s a good idea to invest in a full fledged network monitoring program and achieve compliance

More information

Texas Medical Records Privacy Act

Texas Medical Records Privacy Act A COALFIRE PERSPECTIVE Texas Medical Records Privacy Act Texas House Bill 300 (HB 300) Rick Dakin, CEO & Co-Founder Rick Link, Director Andrew Hicks, Director Overview The State of Texas has pushed ahead

More information

Ready for an OCR Audit? Will you pass or fail an OCR security audit? Tom Walsh, CISSP

Ready for an OCR Audit? Will you pass or fail an OCR security audit? Tom Walsh, CISSP Ready for an OCR Audit? Will you pass or fail an OCR security audit? Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS What would you do? You receive a phone call from your CEO. They just received

More information

Cybersecurity Health Check At A Glance

Cybersecurity Health Check At A Glance This cybersecurity health check provides a quick view of compliance gaps and is not intended to replace a professional HIPAA Security Risk Analysis. Failing to have more than five security measures not

More information

Retention & Destruction

Retention & Destruction Last Updated: March 28, 2014 This document sets forth the security policies and procedures for WealthEngine, Inc. ( WealthEngine or the Company ). A. Retention & Destruction Retention & Destruction of

More information

Agenda. OCR Audits of HIPAA Privacy, Security and Breach Notification, Phase 2. Linda Sanches, MPH Senior Advisor, Health Information Privacy 4/1/2014

Agenda. OCR Audits of HIPAA Privacy, Security and Breach Notification, Phase 2. Linda Sanches, MPH Senior Advisor, Health Information Privacy 4/1/2014 OCR Audits of HIPAA Privacy, Security and Breach Notification, Phase 2 Linda Sanches, MPH Senior Advisor, Health Information Privacy HCCA Compliance Institute March 31, 2014 Agenda Background Audit Phase

More information

HIPAA SECURITY RULES FOR IT: WHAT ARE THEY?

HIPAA SECURITY RULES FOR IT: WHAT ARE THEY? HIPAA SECURITY RULES FOR IT: WHAT ARE THEY? HIPAA is a huge piece of legislation. Only a small portion of it applies to IT providers in healthcare; mostly the Security Rule. The HIPAA Security Rule outlines

More information

YOUR HIPAA RISK ANALYSIS IN FIVE STEPS

YOUR HIPAA RISK ANALYSIS IN FIVE STEPS Ebook YOUR HIPAA RISK ANALYSIS IN FIVE STEPS A HOW-TO GUIDE FOR YOUR HIPAA RISK ANALYSIS AND MANAGEMENT PLAN 2015 SecurityMetrics YOUR HIPAA RISK ANALYSIS IN FIVE STEPS 1 YOUR HIPAA RISK ANALYSIS IN FIVE

More information

HIPAA PRIVACY AND SECURITY AWARENESS

HIPAA PRIVACY AND SECURITY AWARENESS HIPAA PRIVACY AND SECURITY AWARENESS Introduction The Health Insurance Portability and Accountability Act (known as HIPAA) was enacted by Congress in 1996. HIPAA serves three main purposes: To protect

More information

GoodData Corporation Security White Paper

GoodData Corporation Security White Paper GoodData Corporation Security White Paper May 2016 Executive Overview The GoodData Analytics Distribution Platform is designed to help Enterprises and Independent Software Vendors (ISVs) securely share

More information

HIPAA and HITECH Compliance for Cloud Applications

HIPAA and HITECH Compliance for Cloud Applications What Is HIPAA? The healthcare industry is rapidly moving towards increasing use of electronic information systems - including public and private cloud services - to provide electronic protected health

More information

The Panoptix Building Efficiency Solution: Ensuring a Secure Delivery of Building Efficiency

The Panoptix Building Efficiency Solution: Ensuring a Secure Delivery of Building Efficiency logo The Panoptix Building Efficiency Solution: Ensuring a Secure Delivery of Building Efficiency Understanding the Multiple Levels of Security Built Into the Panoptix Solution Published: October 2011

More information

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER With technology everywhere we look, the technical safeguards required by HIPAA are extremely important in ensuring that our information

More information

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist HIPAA Omnibus Rule Overview Presented by: Crystal Stanton MicroMD Marketing Communication Specialist 1 HIPAA Omnibus Rule - Agenda History of the Omnibus Rule What is the HIPAA Omnibus Rule and its various

More information

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use Click to edit Master title style Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use Andy Petrovich, MHSA, MPH M-CEITA / Altarum Institute April 8, 2015 4/8/2015 1 1 Who is M-CEITA?

More information

Using the HITRUST CSF to Assess Cybersecurity Preparedness 1 of 6

Using the HITRUST CSF to Assess Cybersecurity Preparedness 1 of 6 to Assess Cybersecurity Preparedness 1 of 6 Introduction Long before the signing in February 2013 of the White House Executive Order Improving Critical Infrastructure Cybersecurity, HITRUST recognized

More information

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification Type of Policy and Procedure Comments Completed Privacy Policy to Maintain and Update Notice of Privacy Practices

More information

Anatomy of a Healthcare Data Breach

Anatomy of a Healthcare Data Breach BUSINESS WHITE PAPER Anatomy of a Healthcare Data Breach Prevention and remediation strategies Anatomy of a Healthcare Data Breach Table of Contents 2 Increased risk 3 Mitigation costs 3 An Industry unprepared

More information

The HIPAA Audit Program

The HIPAA Audit Program The HIPAA Audit Program Anna C. Watterson Davis Wright Tremaine LLP The U.S. Department of Health and Human Services (HHS) was given authority, and a mandate, to conduct periodic audits of HIPAA 1 compliance

More information

HIPAA 203: Security. An Introduction to the Draft HIPAA Security Regulations

HIPAA 203: Security. An Introduction to the Draft HIPAA Security Regulations HIPAA 203: Security An Introduction to the Draft HIPAA Security Regulations Presentation Agenda Security Introduction Security Component Requirements and Impacts Administrative Procedures Physical Safeguards

More information

HIPAA Audits: How to Be Prepared. Lindsey Wiley, MHA, CHTS-IM, CHTS-TS HIT Manager Oklahoma Foundation for Medical Quality

HIPAA Audits: How to Be Prepared. Lindsey Wiley, MHA, CHTS-IM, CHTS-TS HIT Manager Oklahoma Foundation for Medical Quality HIPAA Audits: How to Be Prepared Lindsey Wiley, MHA, CHTS-IM, CHTS-TS HIT Manager Oklahoma Foundation for Medical Quality An Important Reminder For audio, you must use your phone: Step 1: Call (866) 906-0123.

More information

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions Table of Contents Understanding HIPAA Privacy and Security... 1 What

More information

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Table of Contents Introduction... 1 1. Administrative Safeguards...

More information

Information Technology General Controls And Best Practices

Information Technology General Controls And Best Practices Paul M. Perry, FHFMA, CITP, CPA Alabama CyberNow Conference April 5, 2016 Information Technology General Controls And Best Practices 1. IT General Controls - Why? 2. IT General Control Objectives 3. Documentation

More information

How to prepare your organization for an OCR HIPAA audit

How to prepare your organization for an OCR HIPAA audit How to prepare your organization for an OCR HIPAA audit Presented By: Mac McMillan, FHIMSS, CISM CEO, CynergisTek, Inc. Technical Assistance: 978-674-8121 or Amanda.Howell@iatric.com Audio Options: Telephone

More information

Lessons Learned from HIPAA Audits

Lessons Learned from HIPAA Audits Lessons Learned from HIPAA Audits October 29, 2012 Tony Brooks, CISA, CRISC Partner - IT Assurance and Risk Services HORNE LLP AGENDA HIPAA/HITECH Regulations Breaches and Fines OCR HIPAA/HITECH Compliance

More information

Cybersecurity in the Health Care Sector: HIPAA Responsibilities from a Legal and Compliance Perspective

Cybersecurity in the Health Care Sector: HIPAA Responsibilities from a Legal and Compliance Perspective Cybersecurity in the Health Care Sector: HIPAA Responsibilities from a Legal and Compliance Perspective July 23, 2013 Gerry Hinkley, Pillsbury Allen Briskin, Pillsbury Pillsbury Winthrop Shaw Pittman LLP

More information

Internet Security Protecting Your Business. Hayden Johnston & Rik Perry WYSCOM

Internet Security Protecting Your Business. Hayden Johnston & Rik Perry WYSCOM Internet Security Protecting Your Business Hayden Johnston & Rik Perry WYSCOM Introduction Protecting Your Network Securing Your Information Standards & Best Practices Tools & Options Into The Future Creating

More information

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES HIPAA COMPLIANCE Achieving HIPAA Compliance with Security Professional Services The Health Insurance

More information

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE How to Use this Assessment The following risk assessment provides you with a series of questions to help you prioritize the development and implementation

More information

2/9/2012. 2012 HIPAA Privacy and Security Audit Readiness. Table of contents

2/9/2012. 2012 HIPAA Privacy and Security Audit Readiness. Table of contents 2012 HIPAA Privacy and Security Audit Readiness Mark M. Johnson National HIPAA Services Director Table of contents Page Background 2 Regulatory Background and HITECH Impacts 3 Office of Civil Rights (OCR)

More information

Executive Order 13636: The Healthcare Sector and the Cybersecurity Framework. September 23, 2014

Executive Order 13636: The Healthcare Sector and the Cybersecurity Framework. September 23, 2014 Executive Order 13636: The Healthcare Sector and the Cybersecurity Framework September 23, 2014 Executive Order: Improving Critical Infrastructure Cybersecurity It is the policy of the United States to

More information

HIPAA for HIT and EHRs. Latest on Meaningful Use and EHR Certification: For Privacy and Security Professionals

HIPAA for HIT and EHRs. Latest on Meaningful Use and EHR Certification: For Privacy and Security Professionals HIPAA for HIT and EHRs Latest on Meaningful Use and EHR Certification: For Privacy and Security Professionals Donald Bechtel, CHP Siemens Health Services Patient Privacy Officer Fair Information Practices

More information

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com HIPAA Privacy Rule Sets standards for confidentiality and privacy of individually

More information

Privacy for Healthcare Data in the Cloud - Challenges and Best Practices

Privacy for Healthcare Data in the Cloud - Challenges and Best Practices Privacy for Healthcare Data in the Cloud - Challenges and Best Practices Dr. Sarbari Gupta sarbari@electrosoft-inc.com 703-437-9451 ext 12 Cloud Standards Customer Council (CSCC) Cloud Privacy Summit Electrosoft

More information

OCR HIPAA Audit Readiness. ISACA - North Texas Chapter April 11, 2013

OCR HIPAA Audit Readiness. ISACA - North Texas Chapter April 11, 2013 ISACA - North Texas Chapter April 11, 2013 Introduction 1 2 Basic components of HIPAA and HITECH legislation HITECH and rising breaches 3 4 OCR HIPAA audits Key findings of the pilot audits 5 Approaches

More information

Telemedicine HIPAA/HITECH Privacy and Security

Telemedicine HIPAA/HITECH Privacy and Security Telemedicine HIPAA/HITECH Privacy and Security 1 Access Control Role Based Access The organization shall provide secure rolebased account management. Privileges granted utilizing the principle of least

More information

Ready or Not: OCR s Second Round of HIPAA Audits Are Just Around the Corner

Ready or Not: OCR s Second Round of HIPAA Audits Are Just Around the Corner Ready or Not: OCR s Second Round of HIPAA Audits Are Just Around the Corner OPRA 2015 Fall Conference November 4, 2015 Presented By: Lisa Pierce Reisz Vorys, Sater, Seymour and Pease LLP 614.464.8353 lpreisz@vorys.com

More information

Remote Access to a Healthcare Facility and the IT professional s obligations under HIPAA and the HITECH Act

Remote Access to a Healthcare Facility and the IT professional s obligations under HIPAA and the HITECH Act Remote Access to a Healthcare Facility and the IT professional s obligations under HIPAA and the HITECH Act Are your authentication, access, and audit paradigms up to date? Table of Contents Synopsis...1

More information

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225

More information

Orbograph HIPAA/HITECH Compliance, Resiliency and Security

Orbograph HIPAA/HITECH Compliance, Resiliency and Security Orbograph HIPAA/HITECH Compliance, Resiliency and Security Version 1.0 August 2013 Legal Notice This document is delivered subject to the following conditions and restrictions: The document contains proprietary

More information

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, 2014 2:15pm 3:30pm

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, 2014 2:15pm 3:30pm Electronic Health Records: Data Security and Integrity of e-phi Worcester, MA Wednesday, 2:15pm 3:30pm Agenda Introduction Learning Objectives Overview of HIPAA HIPAA: Privacy and Security HIPAA: The Security

More information

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits HIPAA Breaches, Security Risk Analysis, and Audits Derrick Hill Senior Health IT Advisor Kentucky REC Why Does Privacy and Security Matter? Trust Who Must Comply with HIPAA Rules? Covered Entities (CE)

More information

AGENDA HIP Ho AA w i rivacy d The B reach Happen? I P nc AA Secu dent R rit esp y o nse Corrective Action Plan What We Learned ACRONYMS USED

AGENDA HIP Ho AA w i rivacy d The B reach Happen? I P nc AA Secu dent R rit esp y o nse Corrective Action Plan What We Learned ACRONYMS USED Michael Almvig Skagit County Information Services Director 1 AGENDA 1 2 HIPAA How Did Privacy The Breach Happen? HIPAA Incident Security Response 3 Corrective Action Plan 4 What We Learned Questions? ACRONYMS

More information

HIPAA Security Alert

HIPAA Security Alert Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information

More information

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice Appendix 4-2: Administrative, Physical, and Technical Safeguards Breach Notification Rule How Use this Assessment The following sample risk assessment provides you with a series of sample questions help

More information

OCR/HHS HIPAA/HITECH Audit Preparation

OCR/HHS HIPAA/HITECH Audit Preparation OCR/HHS HIPAA/HITECH Audit Preparation 1 Who are we EHR 2.0 Mission: To assist healthcare organizations develop and implement practices to secure IT systems and comply with HIPAA/HITECH regulations. Education

More information

Laptops, Tablets, Smartphones and HIPAA: An Action Plan to Protect your Practice

Laptops, Tablets, Smartphones and HIPAA: An Action Plan to Protect your Practice Laptops, Tablets, Smartphones and HIPAA: An Action Plan to Protect your Practice Agenda Learning objectives for this session Fundamentals of Mobile device use and correlation to HIPAA compliance HIPAA

More information

HIPAA MYTHS: DON T ALWAYS BELIEVE WHAT YOU HEAR. Chris Apgar, CISSP

HIPAA MYTHS: DON T ALWAYS BELIEVE WHAT YOU HEAR. Chris Apgar, CISSP HIPAA MYTHS: DON T ALWAYS BELIEVE WHAT YOU HEAR Chris Apgar, CISSP 2015 OVERVIEW Missed Regulatory Requirements Common HIPAA Privacy Myths Common HIPAA Security Myths Other Related Myths Finding the Right

More information

Checklist for Breach Readiness. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) For Daily Compliance & Security Tips, Follow ecfirst @

Checklist for Breach Readiness. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) For Daily Compliance & Security Tips, Follow ecfirst @ Checklist for Breach Readiness Enabling a Resilient Organization Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) For Daily Compliance & Security Tips, Follow ecfirst @ Agenda Facts about breach violation impact

More information

Big Data, Big Risk, Big Rewards. Hussein Syed

Big Data, Big Risk, Big Rewards. Hussein Syed Big Data, Big Risk, Big Rewards Hussein Syed Discussion Topics Information Security in healthcare Cyber Security Big Data Security Security and Privacy concerns Security and Privacy Governance Big Data

More information

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10) MIT s Information Security Program for Protecting Personal Information Requiring Notification (Revision date: 2/26/10) Table of Contents 1. Program Summary... 3 2. Definitions... 4 2.1 Identity Theft...

More information

AUDITING TECHNIQUES TO ASSESS FRAUD RISKS IN ELECTRONIC HEALTH RECORDS

AUDITING TECHNIQUES TO ASSESS FRAUD RISKS IN ELECTRONIC HEALTH RECORDS AUDITING TECHNIQUES TO ASSESS FRAUD RISKS IN ELECTRONIC HEALTH RECORDS OBJECTIVE Increase your IT vocab so that you can assess the risks related to your audits of EHRs and/or EHR related data AGENDA What

More information

CIP- 005 R2: Understanding the Security Requirements for Secure Remote Access to the Bulk Energy System

CIP- 005 R2: Understanding the Security Requirements for Secure Remote Access to the Bulk Energy System CIP- 005 R2: Understanding the Security Requirements for Secure Remote Access to the Bulk Energy System Purpose CIP-005-5 R2 is focused on ensuring that the security of the Bulk Energy System is not compromised

More information

HOW TO REALLY IMPLEMENT HIPAA. Presented by: Melissa Skaggs Provider Resources Group

HOW TO REALLY IMPLEMENT HIPAA. Presented by: Melissa Skaggs Provider Resources Group HOW TO REALLY IMPLEMENT HIPAA Presented by: Melissa Skaggs Provider Resources Group WHAT IS HIPAA The Health Insurance Portability and Accountability Act of 1996 (HIPAA; Pub.L. 104 191, 110 Stat. 1936,

More information

EXPERT STRATEGIES FOR LOG COLLECTION, ROOT CAUSE ANALYSIS, AND COMPLIANCE

EXPERT STRATEGIES FOR LOG COLLECTION, ROOT CAUSE ANALYSIS, AND COMPLIANCE EXPERT STRATEGIES FOR LOG COLLECTION, ROOT CAUSE ANALYSIS, AND COMPLIANCE A reliable, high-performance network is critical to your IT infrastructure and organization. Equally important to network performance

More information

TASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices

TASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices Page 1 of 10 TSK- 040 Determine what PCI, NERC CIP cyber security standards are, which are applicable, and what requirements are around them. Find out what TRE thinks about the NERC CIP cyber security

More information

ALERT LOGIC FOR HIPAA COMPLIANCE

ALERT LOGIC FOR HIPAA COMPLIANCE SOLUTION OVERVIEW: ALERT LOGIC FOR HIPAA COMPLIANCE AN OUNCE OF PREVENTION IS WORTH A POUND OF CURE Alert Logic provides organizations with the most advanced and cost-effective means to secure their healthcare

More information

HIPAA Security Overview of the Regulations

HIPAA Security Overview of the Regulations HIPAA Security Overview of the Regulations Presenter: Anna Drachenberg Anna Drachenberg has been assisting healthcare providers and hospitals comply with HIPAA and other federal regulations since 2008.

More information

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing HIPAA Omnibus Rule Practice Impact Kristen Heffernan MicroMD Director of Prod Mgt and Marketing 1 HIPAA Omnibus Rule Agenda History of the Rule HIPAA Stats Rule Overview Use of Personal Health Information

More information

HIPAA Compliance Review Analysis and Summary of Results

HIPAA Compliance Review Analysis and Summary of Results HIPAA Compliance Review Analysis and Summary of Results Centers for Medicare & Medicaid Services (CMS) Office of E-Health Standards and Services (OESS) Reviews 2008 Table of Contents Introduction 1 Risk

More information

FACT SHEET: Ransomware and HIPAA

FACT SHEET: Ransomware and HIPAA FACT SHEET: Ransomware and HIPAA A recent U.S. Government interagency report indicates that, on average, there have been 4,000 daily ransomware attacks since early 2016 (a 300% increase over the 1,000

More information

Dell Mobile Clinical Computing

Dell Mobile Clinical Computing Dell Mobile Clinical Computing Healthcare Technology Solutions that Deliver Greater Security, IT Productivity and Clinician Efficiency Today s healthcare environment relies heavily on the latest technology

More information

Supplier Information Security Addendum for GE Restricted Data

Supplier Information Security Addendum for GE Restricted Data Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,

More information

Network Detective. HIPAA Compliance Module. 2015 RapidFire Tools, Inc. All rights reserved V20150201

Network Detective. HIPAA Compliance Module. 2015 RapidFire Tools, Inc. All rights reserved V20150201 Network Detective 2015 RapidFire Tools, Inc. All rights reserved V20150201 Contents Purpose of this Guide... 3 About Network Detective... 3 Overview... 4 Creating a Site... 5 Starting a HIPAA Assessment...

More information

HIPAA PRIVACY AND SECURITY AWARENESS. Covering Kids and Families of Indiana April 10, 2014

HIPAA PRIVACY AND SECURITY AWARENESS. Covering Kids and Families of Indiana April 10, 2014 HIPAA PRIVACY AND SECURITY AWARENESS Covering Kids and Families of Indiana April 10, 2014 GOALS AND OBJECTIVES The goal is to provide information to you to promote personal responsibility and behaviors

More information

Five Ways to Use Security Intelligence to Pass Your HIPAA Audit

Five Ways to Use Security Intelligence to Pass Your HIPAA Audit e-book Five Ways to Use Security Intelligence to Pass Your HIPAA Audit HIPAA audits on the way 2012 is shaping up to be a busy year for auditors. Reports indicate that the Department of Health and Human

More information

Guided HIPAA Compliance

Guided HIPAA Compliance Guided HIPAA Compliance HIPAA Solutions for Office Managers and Practitioners SecurityMetrics We protect business Since its founding in 2000, privately-held SecurityMetrics has grown from a small security

More information

Mobile Medical Devices and BYOD: Latest Legal Threat for Providers

Mobile Medical Devices and BYOD: Latest Legal Threat for Providers Presenting a live 90-minute webinar with interactive Q&A Mobile Medical Devices and BYOD: Latest Legal Threat for Providers Developing a Comprehensive Usage Strategy to Safeguard Health Information and

More information

PRIVACY POLICIES AND FORMS FOR BUSINESS ASSOCIATES

PRIVACY POLICIES AND FORMS FOR BUSINESS ASSOCIATES PRIVACY POLICIES AND FORMS FOR BUSINESS ASSOCIATES TABLE OF CONTENTS A. Overview of HIPAA Compliance Program B. General Policies 1. Glossary of Defined Terms Used in HIPAA Policies and Procedures 2. Privacy

More information

HIPAA Compliance Evaluation Report

HIPAA Compliance Evaluation Report Jun29,2016 HIPAA Compliance Evaluation Report Custom HIPAA Risk Evaluation provided for: OF Date of Report 10/13/2014 Findings Each section of the pie chart represents the HIPAA compliance risk determinations

More information

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4

More information

Preparing for and Responding to an OCR HIPAA Audit

Preparing for and Responding to an OCR HIPAA Audit Preparing for and Responding to Carole Klove Carole.Klove@ucsfmedctr.or g Gerry Hinkley gerry.hinkley@pillsburylaw.com SIXTH NATIONAL HIPAA SUMMIT WEST October 10-12, 2012 Overview Background What to expect

More information

HIPAA Compliance: Efficient Tools to Follow the Rules

HIPAA Compliance: Efficient Tools to Follow the Rules Bank of America Merrill Lynch White Paper HIPAA Compliance: Efficient Tools to Follow the Rules Executive summary Contents The stakes have never been higher for compliance with the Health Insurance Portability

More information

Sustainable Compliance: A System for Ongoing Audit Readiness

Sustainable Compliance: A System for Ongoing Audit Readiness View the Replay on YouTube Sustainable Compliance: A System for Ongoing Audit Readiness FairWarning Executive Webinar Series November 14, 2013 Agenda Sustainable Compliance at St. Charles Health System

More information

OCR HIPAA AUDITS THEY RE BACK!

OCR HIPAA AUDITS THEY RE BACK! OCR HIPAA AUDITS THEY RE BACK! Chris Apgar, CISSP 2016 OVERVIEW OCR Audit Program Overview What to Expect if OCR s Auditors Show Up Potential Penalties and Other OCR Actions How to Prepare for an Audit

More information

Solution Brief for HIPAA HIPAA. Publication Date: Jan 27, 2015. EventTracker 8815 Centre Park Drive, Columbia MD 21045

Solution Brief for HIPAA HIPAA. Publication Date: Jan 27, 2015. EventTracker 8815 Centre Park Drive, Columbia MD 21045 Publication Date: Jan 27, 2015 8815 Centre Park Drive, Columbia MD 21045 HIPAA About delivers business critical software and services that transform high-volume cryptic log data into actionable, prioritized

More information

Achieving HIPAA Security Rule Compliance with Lumension Solutions

Achieving HIPAA Security Rule Compliance with Lumension Solutions Achieving HIPAA Security Rule Compliance with Lumension Solutions Healthcare organizations face a host of HIPAA Security Rule compliance challenges with the move to put patient medical records online.

More information

OCR s Anatomy: HIPAA Breaches, Investigations, and Enforcement

OCR s Anatomy: HIPAA Breaches, Investigations, and Enforcement OCR s Anatomy: HIPAA Breaches, Investigations, and Enforcement Clinton Mikel The Health Law Partners, P.C. Alessandra Swanson U.S. Department of Health and Human Services - Office for Civil Rights Disclosure

More information