2016 OCR AUDIT E-BOOK

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "2016 OCR AUDIT E-BOOK"

Transcription

1 !! 2016 OCR AUDIT E-BOOK About BlueOrange Compliance: We specialize in healthcare information privacy and security solutions. We understand that each organization is busy running its business and that human capital is limited. Our hitech, low-touch, and cost-effective approach provides continuous maximum information and guidance, and requires minimal staff time and engagement.

2 Contents About OCR 2 OCR Audit Objective 2 Audit Candidates 2 Audit Protocol 2 Privacy Rule 3 Security Rule 4 Breach Reporting Rule 5 Audit Standards and Measurements 6 Audit Timing 6 Audit Selection Process 6 Step 1 - OCR Information Verification 6 Step 2 - OCR Questionnaire. 6 Step 3 - Creation of the Audit Pool 7 Step 4 - Audit Selection 7 Some Words of Caution 7 If You Received the OCR Questionnaire 7 If You Did Not Receive the OCR Questionnaire 7 Audit Notification Process 8 Desk Audits 8 Onsite Audits 8 Audit Process 8 Desk Audits 8 Onsite Audits 8 Anticipated Audit Failure Rate 9 Anticipated Audit Failing Points 9 If You Fail 9 If You Pass 9 Best Legal and Ethical Strategy 9 Best Practices for Audit Readiness 10 Privacy Rule Best Practices 10 Security Rule Best Practices 10 Breach Reporting Rule Best Practices 11 1

3 About OCR The Office for Civil Rights (OCR) is an organization within the U.S. Department of Health & Human Services that oversees the privacy and security of protected health information (PHI). The OCR investigates HIPAA complaints as well as privacy and security breaches, and can impose sizeable fines on Covered Entities if protected health information is incorrectly accessed, lost or stolen. OCR has recently announced a new audit program targeting selected Covered Entities and Business Associates, designed to assess compliance with HIPAA mandated processes, controls, and policies. OCR Audit Objective The primary audit objective is to assess compliance of the HIPAA regulated industry, with a focus on selected specifications of HIPAA Privacy, Security, and Breach Notification Rules. OCR also hopes to discover industrycommon vulnerabilities that remain undetected during routine OCR complaint investigations and compliance reviews, and use these findings to develop new breach prevention strategies. Finally, OCR will be testing a desk audit protocol to determine its effectiveness in gauging overall compliance. OCR will ultimately use all audit findings to determine where to focus ongoing enforcement initiatives. Audit Candidates Every Covered Entity and Business Associate is eligible for an audit. Covered Entities and Business Associates selected for the audit will likely represent a blend of organizational types, sizes and geographic locations. In other words, ANY Covered Entity or Business Associate could be selected. Audit Protocol OCR will conduct remote desk audits that will focus on a limited set of requirements, and then proceed with more comprehensive, onsite audits. The initial audit phase will include desk audits of Covered Entities, followed by desk audits of Business Associates. A third phase will include onsite audits of both Covered Entities and Business Associates. OCR s audit protocol encompasses requirements and implementation specifications from HIPAA Privacy, Security and Breach Notification Rules. Included in the protocol are 89 Privacy requirements, 72 Security requirements and 19 Breach Reporting requirements. Based on the type of Covered Entity or Business Associate selected for audit, OCR will identify a subset of topics to be audited from among these 180 audit items. Breakdown of Audit Terms by Type Security (72) Breach (19) Privacy (89) A full listing of the 180 audit items included in the audit protocol can be found on 2

4 Privacy Rule Items included in the 2016 OCR Audit Protocol for Privacy Rule Requirements: PHI uses and disclosures; Rights to request privacy protection for PHI; Personal representatives; Access of individuals to PHI; Confidential communication and Business PHI administrative requirements; Associate contracts; Amendment of PHI. Notice of Privacy Practices for PHI; 25 # Audit # Items Audit Items Per Privacy Regulation Regulation # Items Regulation The top 3 privacy regulations by number of items include: 1. CFR Uses and disclosures for which an 2. CFR Administrative Requirements authorization or opportunity to agree or object is 3. CFR Other requirements relating not required to uses and disclosures of protected health information 3

5 Security Rule Items included in the 2016 OCR Audit Protocol for Security Privacy Rule Requirements: Risk analysis; Business associate controls and agreements; Risk management; Facility access controls; Workforce authorization; Workstation security; Information access management; Device control and disposal; Security awareness training; Access control; Contingency planning; EPHI protection. 30 # Audit # Audit Items Items Per Per Security Regulation # Items Regulation The top 3 security regulations by number of items include: 1. CFR Administrative Safeguards 2. CFR Physical Safeguards 3. CFR Technical Safeguards 4

6 Breach Reporting Rule Items included in the 2016 OCR Audit Protocol for Breach Notification Rule Requirements: Breach administrative requirements; Breach Definitions; Training; Notification to individuals; Complaints; Timeliness, content and method of notifications; Sanctions; Burden of Proof. Retaliatory Acts; Waiver of Rights; Policies, procedures & documentation; 7 # Audit # of Audit Items Items Per Per Breach Regulation 6 5 # Items Regulation The top 3 breach regulations by number of items include: 1. CFR Administrative Requirements. 2. CFR Notification to individuals 3. CFR Definitions 5

7 Audit Standards and Measurements OCR will use the following standards and measurements when assessing an Entity s compliance with each item selected for audit: Verify that Policies and Procedures exist for the Rule; Verify that the Entity performs the necessary requirements of the Rule; Obtain and review Rule Policies and Procedures to ensure all required elements are included; Obtain and review documentation demonstrating the Rule is executed in accordance with Policies and Procedures; For Security items, if the item is Addressable vs. Required, AND the entity has chosen an alternative measure: Obtain documentation as to why the alternative was chosen; Evaluate documentation and assess whether the alternative is equivalent to the implementation specification. Audit Timing The 2016 Audits are currently in process, and are expected to conclude by December 31, Audit Selection Process Step 1- OCR Information Verification The process begins with an from that requests verification of Entity contact information: This is an automated communication from the Office for Civil Rights (OCR). According to our records, you are the primary contact OCR should use to reach Entity Name regarding its potential inclusion in the HIPAA Privacy, Security, and Breach Notification Rules Audit Program. We are attempting to verify this address. Please respond within fourteen (14) days as instructed below to either confirm your identity and address or instead provide updated primary and secondary contact information. If you ARE the primary contact for this organization, please select the following link YES. Once the link is selected, a browser window will open and your response will be recorded. If you ARE NOT the primary contact for this organization, please select the following link NO. Once the link is selected, a browser window will open and your response will be recorded. Thank you for your cooperation. If we do not receive a response from you we will use this address for future communications with this Entity. Failure to respond will not shield your organization from selection. Step 2- OCR Questionnaire Once contact information is obtained, OCR will send a Questionnaire to Covered Entities and Business Associates for the purpose of gathering demographic data. The Questionnaire will solicit general information, such as organizational type, annual revenue, use of electronic medical records and number of locations, patient visits, patient beds and clinicians. It is still unknown exactly how many organizations will receive this Questionnaire, however OCR initially indicated in 2014 that up to 800 organizations could be included. 6

8 Step 3- Creation of the Audit Pool The demographic data collected from the Questionnaire will be complied to create a pool of audit candidates. Because OCR is using the information collected to create a diverse sample of Covered Entities and Business Associates, the candidate pool will likely represent a wide range of organizational sizes, types and geographic locations. Step 4- Audit Selection Audit candidates will be randomly selected from the audit pool. Some Words of Caution It is important to note that your system may incorrectly classify s from OCR as spam. This is true for both the Information Verification and the Questionnaire . It is therefore highly recommended that you closely monitor your junk or spam folders. Additionally, ignoring the Information Verification or the Questionnaire (or not locating this OCR communication in your spam folders) will not keep your organization from being entered into the audit pool. OCR will use public information about Entities that do not respond when creating the audit pool, and therefore a nonresponding entity may still be selected for audit or be subject to a compliance review. If You Received the OCR Questionnaire If your organization received the OCR Questionnaire, it has been included in the Audit pool and is subject to a potential audit. Start preparing immediately: Gather and organize your Privacy, Security and Breach documentation to ensure your ability to respond in a timely manner if ultimately selected for an audit. An organization selected for audit will be expected to provide the requested audit information within 10 business days of Audit notice. Evaluate the agreements, requirements and practices you have in place with 3rd party IT service providers and other Business Associates. If you haven t done so already, make sure your list of Business Associates is updated and complete. Conduct a mock audit to identify missing or incomplete documentation, focusing on documentation related to notice of privacy practices, right of access, risk analysis, risk management, and breach notification rules. If You Did Not Receive the OCR Questionnaire Covered Entities and Business Associates that have not received the OCR Verification or Questionnaire (after having verified this through spam folders) are likely not in the initial audit pool. However, this does not mean the organization is safe from audit, because OCR will use these very audit findings to determine where to focus ongoing enforcement initiatives. Additionally, it is just makes sense to achieve and maintain HIPAA compliance, as all Covered Entities are subject to random HIPAA audits, as well as audits resulting from a complaint or security breach. 7

9 Audit Notification Process Covered Entities and Business Associates that are selected for an audit will receive an from OCR notifying them of selection, and advising of the requirement to provide documents and other information in response to a document request letter. Desk Audits For desk audits, the notification will introduce the audit team, explain the audit process, outline expectations, and include preliminary requests for documentation. For Covered Entities, it will also delineate the information needed from its Business Associates. The audited organization will be expected to provide the requested information within 10 business days, using OCR s secure portal. Onsite Audits For onsite audits, the notification will schedule an initial meeting and outline audit expectations. Audit Process The audits will focus on particular compliance aspects of Privacy, Security, and Breach Notification Rules. The audit topic focus may vary based on the type of Covered Entity selected for audit. Audit candidates will be advised of specific audit topics in a document request letter. Desk Audits Organizations selected for a desk audit will be required to provide the requested information via an OCR website audit portal. OCR auditors will review the information submitted and create a draft report which will outline a summary of audit protocol and provide an overview of audit discoveries and conclusions. The draft report will be provided to the audited organization, who will then have 10 business days to review and return the draft with written comments. The final report will be completed within 30 days of OCR s receipt of the organization s response, and will include the organization s written responses to the draft findings. Audited organizations will be provided with a copy of the final report. Please note that while in-person visits during a desk audit are expected to be minimal, audited organizations should still be prepared for an onsite visit should OCR deem it necessary to do so. Onsite Audits Onsite audits will be conducted over a pre-scheduled 3-5 day period, and will cover a more comprehensive scope of Privacy, Security, and Breach Notification Rules. Similar to the desk audits, the audited organization will have 10 business days to review the draft report and submit written comments to the OCR auditor. The final report will be completed within 30 days of OCR s receipt of the organization s response and will include the organization s written responses to the draft findings. Audited organizations will be provided with a copy of the final report. 8

10 Anticipated Audit Failure Rate Because this OCR initiative is still in the early stages, meaningful statistics have not yet been generated. However, based on the broad scope of potential audit topics, (requirements and implementation specifications from 180 HIPAA Privacy, Security and Breach Notification audit items) and OCR s stanch audit objectives outlined earlier in this document, indications point to substantial failure rates. Anticipated Audit Failing Points Again, because this OCR initiative is still in the early stages, meaningful statistics have not yet been generated. However, based on typical Gap Analysis and Risk Assessment findings from BlueOrange Compliance, some anticipated audit failing points are: Failure to execute Business Associate Agreements; Improper disclosure of PHI; Failure to conduct Risk Assessments; Insufficient evidence of an active risk management plan; Lack of documentation for, or inconsistently enforced, HIPAA required policies and procedures; Inadequate security awareness training for required personnel; Failure to document and employ Breach detection, assessment, mitigation and reporting processes. If You Fail OCR may initiate a compliance review to investigate any serious compliance issues identified in the audit report. If You Pass Passing the OCR audit demonstrates that your organization operates within a basic compliance framework, but it does not necessarily mean you are HIPAA compliant. OCR audit protocol assesses compliance at a very high level, and therefore passing this audit does not necessarily ensure you would pass a HIPAA audit. Moreover, passing the OCR audit does not make you immune to cyber threat, security breaches, risky end user practices, or assure that your security controls are in front of emerging threats. Best Legal and Ethical Strategy Healthcare providers are legally and ethically obligated to ensure patient privacy, and the complexity of HIPAA Security, Privacy and Breach Rules should not be under-estimated. Complex, ever-changing regulations, increased vulnerabilities, implementation of new technologies and changes in business processes can make it difficult to achieve and maintain compliance. It can be very challenging to test, analyze and remediate your own security and privacy vulnerabilities without interrupting your day to day business operations. Consider hiring a compliance partner that specializes in HIPAA Security, Privacy and Breach Rules. A good compliance partner will help you navigate the process, and design a customized approach based on your organization and tailored to meet your specific regulatory requirements and state statutes. 9

11 Best Practices for Audit Readiness Privacy Rule Best Practices Conduct a Thorough Gap Analysis. Review policies, procedures and processes to make sure they are updated, consistently enforced and that documentation is available. HIPAA Privacy compliance calls for covered entities using or disclosing PHI to provide a Notice of Privacy Practices to patients, create and enforce internal privacy policies and procedures, implement employee training on those procedures, and maintain various logs, forms, and reports to provide proof they are ensuring compliance as ensure and required appears multiple times in the regulations. Appoint a Privacy Officer. The HIPAA Privacy Rule requires covered entities to designate an individual to oversee privacy compliance and respond to privacy-related complaints as well as establish and ensure privacy requirements with contracted Business Associates. Security Rule Best Practices Conduct regular HIPAA Security Risk Assessments. Thorough and accurate security assessments will address all applicable areas of your organization within scope of the 60+ HIPAA Security Rule components, and a thorough review or gap analysis of Privacy and Breach requirements will identify areas which need to be addressed. Implement an Active Security Plan. A good security plan is a product of a good risk assessment. The plan should clearly state gaps identified in the risk assessment along with assigned resources and projected completion dates. Aside from thorough content, each organization must actively manage the plan and demonstrate that reasonable remediation progress is being made. Note that open remediation items are still potential violations and can produce negative consequences in the event of a HIPAA audit, so move as quickly as possible. Evaluate Third Party Agreements. Evaluate the agreements, requirements and practices you have in place with 3rd party IT service providers and other Business Associates. It is critical to confirm that Business Associate agreements are in place, are HIPAA compliant, and are being consistently reviewed. Encrypt your EPHI. Encryption prevents sensitive information from being compromised in transit or at rest. It should be noted that in a potential breach event (compromise of privacy or security of PHI), the burden of proof is placed on the organization to systematically prove a low probability that the information was compromised. Simply said, Guilty unless proven innocent. Conduct Frequent Vulnerability and Penetration Testing. Penetration testing can identify and exploit vulnerabilities in an effort to determine the likelihood of real-world threats against an organization s IT assets and physical security. Successful testing will simulate the practices and methods of external or internal agents attempting unauthorized data access. Immediately address and correct all security gaps identified in the testing. Invest in Employee Security Awareness Training. Employee carelessness, forgetfulness and/or lack of knowledge can create a huge gap in an otherwise secure setting. Make sure your employees understand the mechanics of spam, phishing and malware. Test the success of your training by initiating your own internal phishing expeditions to attempt to solicit information from your employees. Hackers often masquerading as a trustworthy entity, such as an organization s CEO, to prey on unsuspecting or unknowing employees who they hope are too busy to pay attention to the details. 10

12 Breach Reporting Rule Best Practices Enforce Breach Administrative Requirements. Ensure your organization closely adheres to Breach requirements for training, complaint management, sanctions, prohibition of retaliatory acts and waiver of rights. Maintain Breach Policies and Procedures. Ensure all items have documentation and are fully operational. This includes policies, procedures and documentation for Breach definitions, notification to individuals, and timeliness, content and method of notifications. Best practice for HIPAA Breach compliance includes assessment, detection and mitigation of the disclosure of protected health information on an as needed and continuously available basis. Maintain Burden of Proof Documentation. Ensure updated and available documentation demonstrating Breach detection, assessment, mitigation and reporting processes. Breach notification is required if protected health information is disclosed in a manner not permitted under the Privacy Rule. All such occurrences are presumed to be a breach by default, and the burden of proof is on the Covered Entity to prove a low probability and/or non-actionable likelihood of protected health information having been compromised. BlueOrange Compliance has been providing privacy and security assessments, remediation, training and guidance since the inception of HITECH. Our team is comprised of former healthcare IT executives and top security, privacy and technology analysts. Our national client base consists of hospitals, physician provider practices, Nursing Facilities, LTC Pharmacies, LPCs, CCRCs, homecare, hospice and business associates. If you want to learn how BlueOrange Compliance can help you turn HIPAA complexity into HIPAA compliance, visit us at blueorangecompliance.com. 11

The HIPAA Audit Program

The HIPAA Audit Program The HIPAA Audit Program Anna C. Watterson Davis Wright Tremaine LLP The U.S. Department of Health and Human Services (HHS) was given authority, and a mandate, to conduct periodic audits of HIPAA 1 compliance

More information

HIPAA Audits Are Here!

HIPAA Audits Are Here! HIPAA Audits Are Here! How to prepare for and what to expect when OCR comes knocking May 12, 2016 James B. Wieland, Principal, Ober Kaler Emily H. Wein, Principal, Ober Kaler David Holtzman, VP of Compliance,

More information

Overview of the HIPAA Security Rule

Overview of the HIPAA Security Rule Office of the Secretary Office for Civil Rights () Overview of the HIPAA Security Rule Office for Civil Rights Region IX Alicia Cornish, EOS Sheila Fischer, Supervisory EOS Topics Upon completion of this

More information

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits HIPAA Breaches, Security Risk Analysis, and Audits Derrick Hill Senior Health IT Advisor Kentucky REC Why Does Privacy and Security Matter? Trust Who Must Comply with HIPAA Rules? Covered Entities (CE)

More information

OCR HIPAA AUDITS THEY RE BACK!

OCR HIPAA AUDITS THEY RE BACK! OCR HIPAA AUDITS THEY RE BACK! Chris Apgar, CISSP 2016 OVERVIEW OCR Audit Program Overview What to Expect if OCR s Auditors Show Up Potential Penalties and Other OCR Actions How to Prepare for an Audit

More information

Can Your Diocese Afford to Fail a HIPAA Audit?

Can Your Diocese Afford to Fail a HIPAA Audit? Can Your Diocese Afford to Fail a HIPAA Audit? PETULA WORKMAN & PHIL BUSHNELL MAY 2016 2016 ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS Agenda Overview Privacy Security Breach Notification Miscellaneous

More information

Privacy and Security requirements, OCR HIPAA Audits and the New Audit Protocol

Privacy and Security requirements, OCR HIPAA Audits and the New Audit Protocol Privacy and Security requirements, OCR HIPAA Audits and the New Audit Protocol 1 Learning Objectives Understand Privacy and Security Requirements Understand the new OCR audit protocol Learn how to prepare

More information

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, 2014 2:15pm 3:30pm

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, 2014 2:15pm 3:30pm Electronic Health Records: Data Security and Integrity of e-phi Worcester, MA Wednesday, 2:15pm 3:30pm Agenda Introduction Learning Objectives Overview of HIPAA HIPAA: Privacy and Security HIPAA: The Security

More information

General HIPAA Implementation FAQ

General HIPAA Implementation FAQ General HIPAA Implementation FAQ What is HIPAA? Signed into law in August 1996, the Health Insurance Portability and Accountability Act ( HIPAA ) was created to provide better access to health insurance,

More information

How to prepare your organization for an OCR HIPAA audit

How to prepare your organization for an OCR HIPAA audit How to prepare your organization for an OCR HIPAA audit Presented By: Mac McMillan, FHIMSS, CISM CEO, CynergisTek, Inc. Technical Assistance: 978-674-8121 or Amanda.Howell@iatric.com Audio Options: Telephone

More information

HIPAA compliance audit: Lessons learned apply to dental practices

HIPAA compliance audit: Lessons learned apply to dental practices HIPAA compliance audit: Lessons learned apply to dental practices Executive summary In 2013, the Health Insurance Portability and Accountability Act (HIPAA) of 1996 Omnibus Rule put healthcare providers

More information

INTRODUCTION TO HIPAA COMPLIANCE UNDERSTAND YOUR PATHWAY TO HIPAA COMPLIANCE

INTRODUCTION TO HIPAA COMPLIANCE UNDERSTAND YOUR PATHWAY TO HIPAA COMPLIANCE INTRODUCTION TO HIPAA COMPLIANCE UNDERSTAND YOUR PATHWAY TO HIPAA COMPLIANCE INTRODUCTION TO HIPAA COMPLIANCE 2 ABOUT HIPAA COMPLIANCE Health Insurance Portability and Accountability Act (HIPAA) compliance

More information

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification Type of Policy and Procedure Comments Completed Privacy Policy to Maintain and Update Notice of Privacy Practices

More information

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule HIPAA More Important Than You Realize J. Ira Bedenbaugh Consulting Shareholder February 20, 2015 This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record

More information

What do you need to know?

What do you need to know? What do you need to know? DISCLAIMER Please note that the information provided is to inform our clients and friends of recent HIPAA and HITECH act developments. It is not intended, nor should it be used,

More information

The Case For HIPAA Risk Assessment. Leader s Guide

The Case For HIPAA Risk Assessment. Leader s Guide 4547 The Case For HIPAA Risk Assessment Leader s Guide IMPORTANT INFORMATION FOR EDUCATION COORDINATORS & PROGRAM FACILITATORS PLEASE NOTE: In order for this program to meet Florida course requirements,

More information

HIPAA and HITECH Compliance for Cloud Applications

HIPAA and HITECH Compliance for Cloud Applications What Is HIPAA? The healthcare industry is rapidly moving towards increasing use of electronic information systems - including public and private cloud services - to provide electronic protected health

More information

NEW PERSPECTIVES. Professional Fee Coding Audit: The Basics. Learn how to do these invaluable audits page 16

NEW PERSPECTIVES. Professional Fee Coding Audit: The Basics. Learn how to do these invaluable audits page 16 NEW PERSPECTIVES on Healthcare Risk Management, Control and Governance www.ahia.org Journal of the Association of Heathcare Internal Auditors Vol. 32, No. 3, Fall, 2013 Professional Fee Coding Audit: The

More information

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES CONTENTS Introduction 3 Brief Overview of HIPPA Final Omnibus Rule 3 Changes to the Definition of Business Associate

More information

Sustainable HIPAA Compliance: Protecting Patient Privacy through Highly Leveraged Investments

Sustainable HIPAA Compliance: Protecting Patient Privacy through Highly Leveraged Investments View the Replay on YouTube Sustainable HIPAA Compliance: Protecting Patient Privacy through Highly Leveraged Investments FairWarning Executive Webinar Series October 31, 2013 Today s Panel Chris Arnold

More information

OCR Launches Phase 2 HIPAA Audits for Covered Entities and Business Associates: Are You Ready?

OCR Launches Phase 2 HIPAA Audits for Covered Entities and Business Associates: Are You Ready? Presenting a live 90-minute webinar with interactive Q&A OCR Launches Phase 2 HIPAA Audits for Covered Entities and Business Associates: Are You Ready? Developing, Ensuring and Documenting HIPAA and HITECH

More information

Agenda. OCR Audits of HIPAA Privacy, Security and Breach Notification, Phase 2. Linda Sanches, MPH Senior Advisor, Health Information Privacy 4/1/2014

Agenda. OCR Audits of HIPAA Privacy, Security and Breach Notification, Phase 2. Linda Sanches, MPH Senior Advisor, Health Information Privacy 4/1/2014 OCR Audits of HIPAA Privacy, Security and Breach Notification, Phase 2 Linda Sanches, MPH Senior Advisor, Health Information Privacy HCCA Compliance Institute March 31, 2014 Agenda Background Audit Phase

More information

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use Click to edit Master title style Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use Andy Petrovich, MHSA, MPH M-CEITA / Altarum Institute April 8, 2015 4/8/2015 1 1 Who is M-CEITA?

More information

2011 2012 Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec.

2011 2012 Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec. The OCR Auditors are coming - Are you next? What to Expect and How to Prepare On June 10, 2011, the U.S. Department of Health and Human Services Office for Civil Rights ( OCR ) awarded KPMG a $9.2 million

More information

Lessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd

Lessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd Lessons Learned from Recent HIPAA and Big Data Breaches Briar Andresen Katie Ilten Ann Ladd Recent health care breaches Breach reports to OCR as of February 2015 1,144 breaches involving 500 or more individual

More information

What s New with HIPAA? Policy and Enforcement Update

What s New with HIPAA? Policy and Enforcement Update What s New with HIPAA? Policy and Enforcement Update HHS Office for Civil Rights New Initiatives Precision Medicine Initiative (PMI), including Access Guidance Cybersecurity Developer portal NICS Final

More information

Definitions: Policy: Duties and Responsibilities: The Privacy Officer will have the following responsibilities and duties:

Definitions: Policy: Duties and Responsibilities: The Privacy Officer will have the following responsibilities and duties: PRIVACY 1.0 FACILITY PRIVACY OFFICER Scope: Purpose: All subsidiaries of Universal Health Services, Inc., including facilities and UHS of Delaware Inc. (collectively, UHS ), including UHS covered entities

More information

HIPAA Privacy Rule Policies

HIPAA Privacy Rule Policies DRAFT - Policies and Procedures PRIVACY OFFICE ASSIGNMENT AND RESPONSIBILITIES APPROVED BY: SUPERCEDES POLICY: Policy #1 ADOPTED: REVISED: REVIEWED: Purpose This policy is designed to assure the establishment

More information

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com HIPAA Privacy Rule Sets standards for confidentiality and privacy of individually

More information

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know Note: Information provided to NCRA by Melodi Gates, Associate with Patton Boggs, LLC Privacy and data protection

More information

Ready for an OCR Audit? Will you pass or fail an OCR security audit? Tom Walsh, CISSP

Ready for an OCR Audit? Will you pass or fail an OCR security audit? Tom Walsh, CISSP Ready for an OCR Audit? Will you pass or fail an OCR security audit? Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS What would you do? You receive a phone call from your CEO. They just received

More information

HIPAA Secure Now! HIPAA Security and Omnibus Rules Overview

HIPAA Secure Now! HIPAA Security and Omnibus Rules Overview HIPAA Secure Now! HIPAA Security and Omnibus Rules Overview HIPAA Risk Assessment The HIPAA Security Rule requires that a Risk Assessment be completed. The purpose of a Risk Assessment is to: identify

More information

Are You Prepared for an OCR HIPAA Audit or Investigation? February 15, 2012 ID Experts Webinar www.idexpertscorp.com

Are You Prepared for an OCR HIPAA Audit or Investigation? February 15, 2012 ID Experts Webinar www.idexpertscorp.com Are You Prepared for an OCR HIPAA Audit or Investigation? February 15, 2012 ID Experts Webinar www.idexpertscorp.com Mahmood Sher-Jan VP of Product Management mahmood.sher-jan@idexpertscorp.com Chris Apgar

More information

HIPAA Security Education. Updated May 2016

HIPAA Security Education. Updated May 2016 HIPAA Security Education Updated May 2016 Course Objectives v This computer-based learning course covers the HIPAA, HITECH, and MSHA Privacy and Security Program which includes relevant Information Technology(IT)

More information

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What? HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What? Introduction This material is designed to answer some of the commonly asked questions by business associates and other organizations

More information

UNIVERSITY OF WYOMING HIPAA POLICY 3.6 BREACH

UNIVERSITY OF WYOMING HIPAA POLICY 3.6 BREACH UNIVERSITY OF WYOMING HIPAA POLICY 3.6 BREACH I. PURPOSE: The purpose of this policy is to outline the processes and procedures for determining whether the security or privacy of PHI has been compromised

More information

Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style.

Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style. Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style March 27, 2013 www.mcguirewoods.com Introductions Holly Carnell McGuireWoods LLP

More information

HIPAA Security Risk Analysis for Meaningful Use

HIPAA Security Risk Analysis for Meaningful Use HIPAA Security Risk Analysis for Meaningful Use NOTE: Make sure your computer speakers are turned ON. Audio will be streaming through your speakers. If you do not have computer speakers, call the ACCMA

More information

Am I a Business Associate?

Am I a Business Associate? Am I a Business Associate? Now What? JENNIFER L. RATHBURN Quarles & Brady LLP KATEA M. RAVEGA Quarles & Brady LLP agenda» Overview of HIPAA / HITECH» Business Associate ( BA ) Basics» What Do BAs Have

More information

What Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act

What Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act What Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act by Lane W. Staines and Cheri D. Green On February 17, 2009, The American Recovery and Reinvestment Act

More information

FACT SHEET: Ransomware and HIPAA

FACT SHEET: Ransomware and HIPAA FACT SHEET: Ransomware and HIPAA A recent U.S. Government interagency report indicates that, on average, there have been 4,000 daily ransomware attacks since early 2016 (a 300% increase over the 1,000

More information

Privacy & Security: Fundamentals of a Security Risk Analysis. Preparing for Meaningful Use Measure 15

Privacy & Security: Fundamentals of a Security Risk Analysis. Preparing for Meaningful Use Measure 15 Privacy & Security: Fundamentals of a Security Risk Analysis Preparing for Meaningful Use Measure 15 1/18/2012 Why Are We Here? Privacy and Security is a priority for ONC Consistency among Regional Extension

More information

2/9/2012. 2012 HIPAA Privacy and Security Audit Readiness. Table of contents

2/9/2012. 2012 HIPAA Privacy and Security Audit Readiness. Table of contents 2012 HIPAA Privacy and Security Audit Readiness Mark M. Johnson National HIPAA Services Director Table of contents Page Background 2 Regulatory Background and HITECH Impacts 3 Office of Civil Rights (OCR)

More information

Privacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by:

Privacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by: HIPAA Privacy Officer Orientation Presented by: Cathy Montgomery, RN Privacy Officer Job Description Serve as leader Develop Policies and Procedures Train staff Monitor activities Manage Business Associates

More information

HIPAA Omnibus & HITECH Rules: Key Provisions and a Simple Checklist. www.riskwatch.com

HIPAA Omnibus & HITECH Rules: Key Provisions and a Simple Checklist. www.riskwatch.com HIPAA Omnibus & HITECH Rules: Key Provisions and a Simple Checklist www.riskwatch.com Introduction Last year, the federal government published its long awaited final regulations implementing the Health

More information

Request for Proposal HIPAA Security Risk and Vulnerability Assessment

Request for Proposal HIPAA Security Risk and Vulnerability Assessment Request for Proposal HIPAA Security Risk and Vulnerability Assessment May 1, 2016 First Choice Community Healthcare Timeline The following Timeline has been defined to efficiently solicit multiple competitive

More information

Business Associate Management Methodology

Business Associate Management Methodology Methodology auxilioinc.com 844.874.0684 Table of Contents Methodology Overview 3 Use Case 1: Upstream of s I manage business associates 4 System 5 Use Case 2: Eco System of s I manage business associates

More information

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions Table of Contents Understanding HIPAA Privacy and Security... 1 What

More information

Preparing for the HIPAA Security Rule

Preparing for the HIPAA Security Rule A White Paper for Health Care Professionals Preparing for the HIPAA Security Rule Introduction The Health Insurance Portability and Accountability Act (HIPAA) comprises three sets of standards transactions

More information

HIPAA Compliance: Are you prepared for the new regulatory changes?

HIPAA Compliance: Are you prepared for the new regulatory changes? HIPAA Compliance: Are you prepared for the new regulatory changes? Baker Tilly CARIS Innovation, Inc. April 30, 2013 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed

More information

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics HIPAA SERIES Topics 1. 101 for Covered Entities 2. Standards - Administrative Safeguards 3. Standards - Physical Safeguards 4. Standards - Technical Safeguards 5. Standards - Organizational, Policies &

More information

The HIPAA Security Rule Primer Compliance Date: April 20, 2005

The HIPAA Security Rule Primer Compliance Date: April 20, 2005 AMERICAN PSYCHOLOGICAL ASSOCIATION PRACTICE ORGANIZATION Practice Working for You The HIPAA Security Rule Primer Compliance Date: April 20, 2005 Printer-friendly PDF 1 Contents Click on any title below

More information

HIPAA COMPLIANCE AND DATA PROTECTION. sales@eaglenetworks.it +39 030 201.08.25 Page 1

HIPAA COMPLIANCE AND DATA PROTECTION. sales@eaglenetworks.it +39 030 201.08.25 Page 1 HIPAA COMPLIANCE AND DATA PROTECTION sales@eaglenetworks.it +39 030 201.08.25 Page 1 CONTENTS Introduction..... 3 The HIPAA Security Rule... 4 The HIPAA Omnibus Rule... 6 HIPAA Compliance and EagleHeaps

More information

valueoutcome July Preparing for Phase 2: The next generation of HIPAA audits Organizations will face enhanced privacy and security scrutiny

valueoutcome July Preparing for Phase 2: The next generation of HIPAA audits Organizations will face enhanced privacy and security scrutiny valueoutcome July 2014 Preparing for Phase 2: The next generation of HIPAA audits Organizations will face enhanced privacy and security scrutiny Highlights 1. In preparation for Phase 2 audits, covered

More information

HIPAA in an Omnibus World. Presented by

HIPAA in an Omnibus World. Presented by HIPAA in an Omnibus World Presented by HITECH COMPLIANCE ASSOCIATES IS NOT A LAW FIRM The information given is not intended to be a substitute for legal advice or consultation. As always in legal matters

More information

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011 Nationwide Review of CMS s HIPAA Oversight Brian C. Johnson, CPA, CISA Wednesday, January 19, 2011 1 WHAT I DO Manage Region IV IT Audit and Advance Audit Technique Staff (AATS) IT Audit consists of 8

More information

Mapping to HIPAA Audit Protocols

Mapping to HIPAA Audit Protocols Mapping to HIPAA Audit Protocols In June 2011, KPMG was awarded the contract to conduct HIPAA audits and develop an audit protocol on behalf of Health and Human Services (HHS) Office for Civil Rights (OCR).

More information

Ready or Not: OCR s Second Round of HIPAA Audits Are Just Around the Corner

Ready or Not: OCR s Second Round of HIPAA Audits Are Just Around the Corner Ready or Not: OCR s Second Round of HIPAA Audits Are Just Around the Corner OPRA 2015 Fall Conference November 4, 2015 Presented By: Lisa Pierce Reisz Vorys, Sater, Seymour and Pease LLP 614.464.8353 lpreisz@vorys.com

More information

Nine Network Considerations in the New HIPAA Landscape

Nine Network Considerations in the New HIPAA Landscape Guide Nine Network Considerations in the New HIPAA Landscape The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Omnibus Final Rule, released January 2013, introduced some significant

More information

Why Lawyers? Why Now?

Why Lawyers? Why Now? TODAY S PRESENTERS Why Lawyers? Why Now? New HIPAA regulations go into effect September 23, 2013 Expands HIPAA safeguarding and breach liabilities for business associates (BAs) Lawyer is considered a business

More information

The Basics of HIPAA Privacy and Security and HITECH

The Basics of HIPAA Privacy and Security and HITECH The Basics of HIPAA Privacy and Security and HITECH Protecting Patient Privacy Disclaimer The content of this webinar is to introduce the principles associated with HIPAA and HITECH regulations and is

More information

HIPAA PRIVACY AND SECURITY AWARENESS

HIPAA PRIVACY AND SECURITY AWARENESS HIPAA PRIVACY AND SECURITY AWARENESS Introduction The Health Insurance Portability and Accountability Act (known as HIPAA) was enacted by Congress in 1996. HIPAA serves three main purposes: To protect

More information

SCDA and SCDA Member Benefits Group

SCDA and SCDA Member Benefits Group SCDA and SCDA Member Benefits Group HIPAA Privacy Policy 1. PURPOSE The purpose of this policy is to protect personal health information (PHI) and other personally identifiable information for all individuals

More information

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Table of Contents Introduction... 1 1. Administrative Safeguards...

More information

When HHS Calls, Will Your Plan Be HIPAA Compliant?

When HHS Calls, Will Your Plan Be HIPAA Compliant? When HHS Calls, Will Your Plan Be HIPAA Compliant? Petula Workman, J.D., CEBS Division Vice President Compliance Counsel Gallagher Benefit Services, Inc., Sugar Land, Texas The opinions expressed in this

More information

HIPAA/HITECH Omnibus Final Rule - January 23, 2013

HIPAA/HITECH Omnibus Final Rule - January 23, 2013 HIPAA Omnibus Rule Please note: these slides are intended to provide an overview of general information, not an exhaustive review. No legal advice is being offered or intended. Do not rely on this information

More information

COMMON HIPAA QUESTIONS

COMMON HIPAA QUESTIONS COMMON HIPAA QUESTIONS 1 As a DevOps platform, we talk to a lot of software engineering teams. Explosive growth in digital health over the last few years means there are many developers and managers who

More information

Sunday March 30, 2014, 9am noon HCCA Conference, San Diego

Sunday March 30, 2014, 9am noon HCCA Conference, San Diego Meaningful Use as it Relates to HIPAA Compliance Sunday March 30, 2014, 9am noon HCCA Conference, San Diego CLAconnect.com Objectives and Agenda Understand the statutory and regulatory background and purpose

More information

Vermont Information Technology Leaders

Vermont Information Technology Leaders Vermont Information Technology Leaders HIPAA COMPLIANCE POLICIES AND PROCEDURES Policy Number: InfoSec 1 Policy Title: Information Privacy and Security Management Process IDENT INFOSEC1 Type of Document:

More information

My Docs Online HIPAA Compliance

My Docs Online HIPAA Compliance My Docs Online HIPAA Compliance Updated 10/02/2013 Using My Docs Online in a HIPAA compliant fashion depends on following proper usage guidelines, which can vary based on a particular use, but have several

More information

Conducting a HIPAA Security Risk Analysis For MEANINGFUL USE, HIPAA Compliance and Good Business Practice. Presented for ICAHN by David A.

Conducting a HIPAA Security Risk Analysis For MEANINGFUL USE, HIPAA Compliance and Good Business Practice. Presented for ICAHN by David A. Conducting a HIPAA Security Risk Analysis For MEANINGFUL USE, HIPAA Compliance and Good Business Practice Presented for ICAHN by David A. Ginsberg Agenda Deep Dive into the 15 th Core Objective Conducting

More information

The HIPAA Security Rule Primer A Guide For Mental Health Practitioners

The HIPAA Security Rule Primer A Guide For Mental Health Practitioners The HIPAA Security Rule Primer A Guide For Mental Health Practitioners Distributed by NASW Printer-friendly PDF 2006 APAPO 1 Contents Click on any title below to jump to that page. 1 What is HIPAA? 3 2

More information

2/27/2014. Meaningful Use as it Relates to HIPAA Compliance. Objectives and Agenda. Understand the statutory and regulatory background and purpose

2/27/2014. Meaningful Use as it Relates to HIPAA Compliance. Objectives and Agenda. Understand the statutory and regulatory background and purpose Meaningful Use as it Relates to HIPAA Compliance Sunday March 30, 2014, 9am noon HCCA Conference, San Diego CLAconnect.com Objectives and Agenda Understand the statutory and regulatory background and purpose

More information

HIPAA Update. Presented by: Melissa M. Zambri. June 25, 2014

HIPAA Update. Presented by: Melissa M. Zambri. June 25, 2014 HIPAA Update Presented by: Melissa M. Zambri June 25, 2014 Timeline of New Rules 2/17/09 - Stimulus Package Enacted 8/24/09 - Interim Final Rule on Breach Notification 10/7/09 - Proposed Rule Regarding

More information

HIPAA Security Rule Compliance

HIPAA Security Rule Compliance HIPAA Security Rule Compliance Caryn Reiker MAXIS360 HIPAA Security Rule Compliance what is it and why you should be concerned about it Table of Contents About HIPAA... 2 Who Must Comply... 2 The HIPAA

More information

Meaningful Use and Security Risk Analysis

Meaningful Use and Security Risk Analysis Meaningful Use and Security Risk Analysis Meeting the Measure Security in Transition Executive Summary Is your organization adopting Meaningful Use, either to gain incentive payouts or to avoid penalties?

More information

Are You Ready for an OCR Audit? Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS. What would you do? Session Objectives

Are You Ready for an OCR Audit? Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS. What would you do? Session Objectives Are You Ready for an OCR Audit? Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS What would you do? Your organization received a certified letter sent from the Office for Civil Rights (OCR)

More information

HIPAA Compliance Guide

HIPAA Compliance Guide HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care

More information

Tools to Prepare and Protect Your Practice for HIPAA and Meaningful Use Audits

Tools to Prepare and Protect Your Practice for HIPAA and Meaningful Use Audits Tools to Prepare and Protect Your Practice for HIPAA and Meaningful Use Audits Presented by: Don Waechter, Managing Partner Health Compliance Partners Ann Breitinger, Attorney Blalock Walters Legal Disclaimer

More information

Implementing Electronic Medical Records (EMR): Mitigate Security Risks and Create Peace of Mind

Implementing Electronic Medical Records (EMR): Mitigate Security Risks and Create Peace of Mind Page1 Implementing Electronic Medical Records (EMR): Mitigate Security Risks and Create Peace of Mind The use of electronic medical records (EMRs) to maintain patient information is encouraged today and

More information

Lessons Learned from OCR Privacy and Security Audits

Lessons Learned from OCR Privacy and Security Audits Lessons Learned from OCR Privacy and Security Audits Program Overview & Initial Analysis Linda Sanches, MPH Verne Rinker, JD MPH Presentation to IAPP Global Privacy Summit March 7, 2013 Program Mandate

More information

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050 BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050 Adopting Multnomah County HIPAA Security Policies and Directing the Appointment of Information System Security

More information

HIPAA & The Medical Practice

HIPAA & The Medical Practice HIPAA & The Medical Practice Requirements for Privacy, Security and Breach Notification Presented by: Gina L. Campanella, JD, MHA Rules that Control Privacy A collection of laws and regulations including:

More information

Carl Abramson Gerry Blass Susan A Miller

Carl Abramson Gerry Blass Susan A Miller Introductions 0 Carl Abramson has over 35 years of experience in management consulting, IT management, HIPAA compliance, Critical Infrastructure Cyber Security and business process analysis. Carl is President

More information

HIPAA/HITECH Privacy and Security for Long Term Care. Association of Jewish Aging Services 1

HIPAA/HITECH Privacy and Security for Long Term Care. Association of Jewish Aging Services 1 HIPAA/HITECH Privacy and Security for Long Term Care 1 John DiMaggio Chief Executive Officer, Blue Orange Compliance Cliff Mull Partner, Benesch, Healthcare Practice Group About the Presenters John DiMaggio,

More information

Patient Privacy and Security. Presented by, Jeffery Daigrepont

Patient Privacy and Security. Presented by, Jeffery Daigrepont Patient Privacy and Security Presented by, Jeffery Daigrepont Jeffery Daigrepont, SVP No Financial Conflicts to Report Jeffery Daigrepont, Senior Vice President of The Coker Group, specializes in health

More information

Information Protection Framework: Data Security Compliance and Today s Healthcare Industry

Information Protection Framework: Data Security Compliance and Today s Healthcare Industry Information Protection Framework: Data Security Compliance and Today s Healthcare Industry Executive Summary Today s Healthcare industry is facing complex privacy and data security requirements. The movement

More information

HIPAA PRIVACY RULE PAT-608: BREACH NOTIFICATION POLICY

HIPAA PRIVACY RULE PAT-608: BREACH NOTIFICATION POLICY HIPAA PRIVACY RULE PAT-608: BREACH NOTIFICATION POLICY I. POLICY: USC 1 shall comply with breach notification requirements under federal and state laws, including the HIPAA privacy and security regulations

More information

Presented by Jack Kolk President ACR 2 Solutions, Inc.

Presented by Jack Kolk President ACR 2 Solutions, Inc. HIPAA 102 : What you don t know about the new changes in the law can hurt you! Presented by Jack Kolk President ACR 2 Solutions, Inc. Todays Agenda: 1) Jack Kolk, CEO of ACR 2 Solutions a information security

More information

POLICY NAME: NOTICE OF PRIVACY BREACHES

POLICY NAME: NOTICE OF PRIVACY BREACHES NOTE: This sample policy is drafted to comply with the HIPAA breach notification rules as amended January 2013. The user should review applicable laws and regulations and modify this sample policy as appropriate

More information

Datto Compliance 101 1

Datto Compliance 101 1 Datto Compliance 101 1 Overview Overview This document provides a general overview of the Health Insurance Portability and Accounting Act (HIPAA) compliance requirements for Managed Service Providers (MSPs)

More information

Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance

Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance Iliana Peters, JD, LLM, HHS Office for Civil Rights Kevin

More information

HIPAA Enforcement is Here

HIPAA Enforcement is Here HIPAA Enforcement is Here Risks and rewards for MSPs Cam Roberson Director, Reseller Channel Beachhead Solutions THIS JUST IN History of HIPAA Security 1996 Congress Passes Health Insurance Portability

More information

YOUR HIPAA RISK ANALYSIS IN FIVE STEPS

YOUR HIPAA RISK ANALYSIS IN FIVE STEPS Ebook YOUR HIPAA RISK ANALYSIS IN FIVE STEPS A HOW-TO GUIDE FOR YOUR HIPAA RISK ANALYSIS AND MANAGEMENT PLAN 2015 SecurityMetrics YOUR HIPAA RISK ANALYSIS IN FIVE STEPS 1 YOUR HIPAA RISK ANALYSIS IN FIVE

More information

HIPAA: Compliance Essentials

HIPAA: Compliance Essentials HIPAA: Compliance Essentials Presented by: Health Security Solutions August 15, 2014 What is HIPAA?? HIPAA is Law that governs a person s ability to qualify immediately for health coverage when they change

More information

HIPAA Compliance Review Analysis and Summary of Results

HIPAA Compliance Review Analysis and Summary of Results HIPAA Compliance Review Analysis and Summary of Results Centers for Medicare & Medicaid Services (CMS) Office of E-Health Standards and Services (OESS) Reviews 2008 Table of Contents Introduction 1 Risk

More information

HIPAA Hot Topics. Audits, the Latest on Enforcement and the Impact of Breaches. September 2012. Nashville Knoxville Memphis Washington, D.C.

HIPAA Hot Topics. Audits, the Latest on Enforcement and the Impact of Breaches. September 2012. Nashville Knoxville Memphis Washington, D.C. HIPAA Hot Topics Audits, the Latest on Enforcement and the Impact of Breaches September 2012 Nashville Knoxville Memphis Washington, D.C. Overview HITECH Act HIPAA Audit Program: update and initial results

More information

Sustainable Compliance: A System for Ongoing Audit Readiness

Sustainable Compliance: A System for Ongoing Audit Readiness View the Replay on YouTube Sustainable Compliance: A System for Ongoing Audit Readiness FairWarning Executive Webinar Series November 14, 2013 Agenda Sustainable Compliance at St. Charles Health System

More information

New HIPAA regulations require action. Are you in compliance?

New HIPAA regulations require action. Are you in compliance? New HIPAA regulations require action. Are you in compliance? Mary Harrison, JD Tami Simon, JD May 22, 2013 Discussion topics Introduction Remembering the HIPAA Basics HIPAA Privacy Rules HIPAA Security

More information

M E M O R A N D U M. Definitions

M E M O R A N D U M. Definitions M E M O R A N D U M DATE: November 10, 2011 TO: FROM: RE: Krevolin & Horst, LLC HIPAA Obligations of Business Associates In connection with the launch of your hosted application service focused on practice

More information