Driving Information Governance: Compliance, Security, and Privacy as a Base for Information Governance
|
|
- Norah Hall
- 7 years ago
- Views:
Transcription
1 Driving Information Governance: Compliance, Security, and Privacy as a Base for Information Governance Kathy Downing, MA, RHIA, CHPS, PMP Director Practice Excellence AHIMA Twitter: HIPAAqueen #IGNOW
2 Objectives for this Webinar Discuss information governance as used in other industries Outline how the IG Principles of Compliance and Information Protection lay a framework for enterprise wide information governance Identify links from security and privacy
3 Information Governance Not just HealthCare MasterCard Motorola AutoTrader McKesson UBS
4 HIPAA Penalty Tiers Show the Importance of Information Governance Did not know or by reasonable diligence would not have known Each Violation - $100-$50,000 All such violations/yr $1,500,000 Reasonable Cause Each Violation - $1,000-$50,000 All such violations/yr $1,500,000 Willful Neglect Corrected 30 days Each Violation - $10,000-$50,000 All such violations/yr $1,500,000 Willful Neglect Not corrected Each Violation - $50,000 All such violations/yr $1,500,000 4
5 The Year of the HealthCare Hack St. Joseph Health System reports that as many as 405,000 records may have been compromised, but actual damage remains speculative. Massive breach at health care company Anthem Inc
6 HIPAA Breaches Reach 30M Patients HIPAA data breaches climb 138 percent Information on 4.9 million Tricare Management Activity beneficiaries was stolen from a Science Applications International Corporation employee s car in This year, Complete Health Systems, based in Tennessee, reported that a network server was hacked and personal information was stolen, affecting 4.5 million people around the country. Illinois-based Advocate Health and Hospitals Corporation reported the theft of company computers, which impacted almost 4.03 million individuals in Health Net in California had a data breach in 2011 that affected 1.9 million people. In that case, IBM alerted Health Net that several unencrypted server hard drives were missing from a California-based data center.
7 Information Governance How could it help? If your organization has a breach and patient information is not the target of the attack there is still reputational damage and local concern. Enterprise wide effort to protect information, not just clinical information.
8 Insider Threat Consider the insider threat Malicious Accidental Solution Trust and policy are not enough. Organizations must invest in security, risk, and information governance training and enforcement.
9 Analyze sensitive data: Discover and classify sensitive data and uncover compliance risks automatically Know who is accessing data, spot anomalies, and stop data loss with real-time data, application, and file activity monitoring Rapidly analyze data usage patterns to uncover and remediate risks
10 Ponemon Study on Cost of a Breach Overall the average cost of a data breach across all industries was $194 per record. The cost of a data breach in healthcare was $240 per record. Before we examine what makes up these costs, let s look at some of the financial impact of a data breach. # of records / Cost 1 $ $2, $24,000 1,000 $240,000 10,000 $2,400,000
11 Cost of a Breach Per Ponemon Turnover of existing customers Diminished customer acquisition Detection and escalation costs Notification costs Post data breach costs
12 Protection Appropriate levels of protection from breach, corruption and loss must be provided for information that is private, confidential, secret, classified, essential to business continuity, or otherwise requires protection... Must address all sources, all media and must apply throughout the life of the information. AHIMA.ORG/INFOGOV
13 Security Roles and Information Governance Security Officers often focus efforts on: Clinical data Electronic data Expansion of the security officer s role to Information Governance Involvement in business continuity and disaster recovery planning Involvement in access management
14 Exercise #1 Does your organization have technical controls in place to safeguard information? Are technical controls defined, implemented and managed centrally? Are advanced controls and systems like encryption, master data management being evaluated and implemented? Is there a program of continuous monitoring, auditing, and improvement of technical safeguards?
15 OCR Audit Outcomes By Issue 8% 14% 14% 9% 4% 12% 18% 14% 7% Risk Analysis Access Management Security Incident Procedures Contingency Planning and Backups Workstation Security Media Movement and Destruction Encryption Audit Controls and Monitoring Integrity Controls
16 Security Safeguards Administrative - Administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity s workforce in relation to the protection of that information. Physical physical measures, policies, and procedures to protect a covered entity s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion. Technical issues The technology and the policy and procedures for its use that protect electronic protected health information and control access to it. 16
17 Risk Assessment and Information Governance Every organization handles confidential information If a risk analysis is not conducted, then: How will you effectively know what the risks are to your information? How will you adequately determine if controls are implemented and appropriate? How will management and stakeholders make informed decisions? How will you establish an acceptable level of risk?
18 Assessment vs. Analysis Assessment A judgment about something based on an understanding of the situation Analysis The close examination of something in detail in order to draw conclusions from it
19 4 New Risk Assessment Factors ( )[78FR5639] 1. Nature and extent of PHI involved 2. Unauthorized person who used the PHI or to whom it was disclosed 3. Whether the PHI was actually acquired or used 4. Extent to which the risk to the PHI has been mitigated 19
20 Relationships Surrounding Risk Threat 6. which protects against a Exploits or compromises a... Vulnerability or Gap 2. which leads to a But this can be minimized by a... Control or Safeguard 4. and result in... Something Bad Happening 3. that can damage an... Asset, Process or Capability RISK
21 Using Infection As An Example Threat Vulnerability Impact Control Germ Bacteria Microorganism Mouth Nose Wounds Rash Infection Disease Medication Hand washing Surgery
22 Industry Recognized Risk Analysis Methodologies International Organization of Standardization (ISO) provides guidance in the ISO standard which specifies a structured, systematic process for analyzing risks to create a risk treatment plan National Institute of Standards and Technology (NIST) Special Publication (SP) Revision 1, Guide for Conducting Risk Assessments provides guidance for carrying out each of the steps in their risk analysis process Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE) provides a standard approach for a risk-driven and practice-based information security evaluation
23 Information Governance for Mobile Devices Information Governance for mobile computing can include building security into the mobile applications. Are your nurses texting your physicians? How are they identifying patients? Do you offer encrypted texting options?
24 What Are Mobile Devices? Smart Phones with personal computer-like functionality Laptops, netbooks and ultrabooks Tablet computers Universal Serial Bus (USB) devices (thumb drives) Digital cameras Radio frequency identification (RFID) devices Source: Mobile Device Security, 2013 AHIMA Convention, Brian Evans, CISSP, CISM, CISA, CGEIT
25 Greatest Data Protection Risks Source: The Risk of Regulated Data on Mobile Devices & in the Cloud Ponemon Institute June 2013 Only 19 percent say their organizations actually know how much regulated data is on mobile devices
26 Mobile Device Threats Theft or physical loss Stored/synchronized data to a public cloud Inadvertent or maliciously leaked information Eavesdropped or intercepted communication Unauthorized access Unauthorized or unlicensed software Malware and malicious code Jail breaking (Apple) or Rooting (Android)
27 Ensure Minimum Security Requirements Use a password or other user authentication Keep security software up-to-date Install or enable encryption Install or activate wiping and/or remote disabling Disable and do not install file-sharing applications Install or enable a firewall Research mobile applications (apps) before downloading Maintain physical control of your mobile device Use VPNs to send or receive health information over public Wi-Fi networks Install or enable security software Delete all stored health information before discarding or reusing the mobile device Source: Office of National Coordinator
28 Information Governance Mobile Device Policy Requires a cross functional IG team Clarify how mobile devices are being used EHR Access Financial system access Consider legal and compliance issues Consider Mobile Device Management Develop your Communications and Training Plan Update and Fine-Tune this one can t stay on the shelf!
29 Mobile Device Management (MDM) An MDM solution would enforce certain security control settings on a personally-owned device to comply with organizational policy Concern: Users may consider this unacceptable since it manages the entire device Once you become part of our network, we are going to apply our network policies to your device A wipe or kill command could erase personal data MDM can control what apps are allowed on a device Some organizations have created their own App store 29
30 Privacy Roles and Information Governance HIPAA privacy rule 2003 Privacy Officer, Privacy Official in Place Time to expand this role outside of clinical information. Enterprise wide standards Enterprise wide access Paper and electronic
31 OCR Audit Outcomes By Issue 4% 2% Business Associates Identify Verification 11% 18% Minimum Necessary Authorizations 9% 8% Deceased Individuals Personal Representatives 7% 17% Judical and Administrative Procedures Group Health Plan Requirements Source: ocr.gov
32 Exercise #2 Has your organization fully implemented identity access management? Is access managed through a central process according to minimum necessary? Do you have access creep?
33 Breach Investigation Process Gather all the facts of the potential breach Document specifically who, when, where, why and how the situation occurred Identify those impacted and what PHI was potentially compromised Analyze & evaluate all the facts objectively to determine whether or not an impermissible access, use, or disclosure of PHI can be substantiated. 33
34 Breach Investigation Process More than just clinical Once a violation is substantiated outline the mitigation, sanctions, education, and prevention remediation actions that will be taken Confirm your notification processes Document all actions and communications (internal and/or external) 34
35 Breach Response / Incident Management Process
36 Discovery and Report Workforce shall report any potential event that adversely affects the confidentiality, integrity, or availability of Institutional Information, regardless of form (electronic or paper).
37 Breach Response / Incident Management Team Chief Information Officer Chief Information Security Officer Chief Medical Information Officer Corporate Compliance Officer Director, Health Information & Privacy Director, Internal Audit Director, Office of Institutional Assurances Director, Risk Management General Counsel Hospital President SCRI President Research Integrity Officer VP Human Resources VP Marketing & Communications Leaders from affected departments
38 Information Governance & Social Media Not just Facebook! Web Publishing Blogs, wikispaces microblogging (twitter) Social Networking LinkedIn File Sharing / storage Google drive Drop Box Photo libraries
39 Biggest Risks of Social Media Lack of a Social Media Policy Who can use social media What they can state / discuss Training is key Employees accidental or intentional Legal Risks This risk is avoidable with an information governance policy, guidelines, monitoring
40 IG Social Media Guideline Examples Specifies authorized individuals Clear distinctions between business and personal use of social media and whether a person can use social media while at work. Strictly forbids any profanity, statements that could be defamatory, inflammatory, Outlines sanctions Draws clear rules on use of company logos Instructs employees shall not have an expectation of privacy when using social media for company purposes. Outlines negative impact on brand.
41 Social Media Will Be Governed According to Policy In Gartner's report from March of 2013 on the "Six Questions to Drive Records Management in Your Social Initiatives," it is clearly stated that social media content requires records management, just like all other content, but many organizations don't know how to create an effective management process. In 2015, more organizations will look to incorporate social media content in their policy definition and explore methods on enforcing the policy across the various systems.
42 Compliance Information practices and processes must comply with organization policies and all applicable laws, regulations, and standards.
43 Enhance IG Awareness and Training Ensure users know what NOT to do: Share passwords or user credentials Allow the use of mobile devices by unauthorized users Store or send unencrypted confidential information Ignore security software updates Download applications from untrusted sources Leave mobile devices unattended Use unsecured Wi-Fi networks for sharing confidential information Discard devices without wiping all confidential information Ignore organizational policies and procedures Source: Office of National Coordinator
44 Valuation of Information Assets Information is being created at a pace faster than organizations can analyze and extract value from it, which means that the potential value of the information may be far greater than the actual value an organization is able to derive. Organizations simply cannot afford to ignore the value of their information assets.
45 New Leaders Will Continue to Emerge / The Evolution of the Privacy, Security, and Compliance Officer In the last few years, there has been a tremendous uptick in the creation of information governance steering committees; however, there is still a need for an executive in each organization to drive the information governance initiative across their company. This executive must have the authority (and oversight) to manage the program.
46 Workforce Awareness Formal IG Training Awareness Program Monitoring and Accountability Regulatory and Legal Response
47 Compliance Expanded Information assets inventory Information asset classification Total cost of ownership Managed inventory of information Patient information request response
48 Wrap Up Compliance + Privacy + Security= Chief Information Governance Officer
49 Resources The Final HITECH Omnibus Rule (January 25, 2013) Combined HIPAA/Omnibus Rule mbined/index.html U.S. Department of Health and Human Services Office for Civil Rights: HIPAA Administrative Simplification - 45 CFR Parts 160, 162, and 164 Information Governance, Robert F. Smallwood 49
50 IG PulseRate a quick check into your organization s IG maturity. Free instant assessment of the maturity level of IG in your organization available at Review and rate the key success measures that impact organizational IG maturity Evaluate your organization s strengths and help identify weaknesses that may be impeding your organization s path to enterprise information governance
51 Driving IG for HealthCare: Recommended Reading AHIMA. Information Governance Principles for Healthcare Chicago, IL. AHIMA, Available at: ARMA International. Generally Accepted Recordkeeping Principles. ARMA International, Available at Cohasset Associates and AHIMA. A Call to Adopt Information Governance Practices Information Governance in Healthcare. Minneapolis, MN. Cohasset Associates, Cohasset Associates and AHIMA. Professional Readiness and Opportunity 2015 Information Governance in Healthcare. Minneapolis, MN. Cohasset Associates, Implementing Health Information Governance, Linda Kloss, MA, RHIA, FAHIMA Enterprise Health Information Management and Data Governance, Merida L Johns, PhD, RHIA. The Information Governance Initiative. The Information Governance Initiative Annual Report and New York, NY. The Joint Commission. Information Management (IM) Chapter, Comprehensive Accreditation Manual for Hospitals, 2014, Oakbrook Terrace, IL: The Joint Commission, 2014, pp.im-1 IM-10. The Sedona Conference. Commentary on Information Governance The Sedona Conference Working Group Series. A project of The Sedona Conference Working Group on Electronic Document Retention and Production (WGI)
52
Managing Mobile Device Security
Managing Mobile Device Security Kathy Downing, MA, RHIA, CHPS, PMP AHIMA Director Practice Excellence Objectives Understand how HIPAA and HITECH apply to mobile devices. Understand the oversight needed
More informationMobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.
Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information. Mobile Devices: Risks to Health Information Risks vary based on the mobile device and its use. Some risks include:
More informationMobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.
Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information. Mobile Devices: Risks to to Health Mobile Information Devices: Risks to Health Information Risks vary based on the
More informationNine Network Considerations in the New HIPAA Landscape
Guide Nine Network Considerations in the New HIPAA Landscape The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Omnibus Final Rule, released January 2013, introduced some significant
More informationPrivacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by:
HIPAA Privacy Officer Orientation Presented by: Cathy Montgomery, RN Privacy Officer Job Description Serve as leader Develop Policies and Procedures Train staff Monitor activities Manage Business Associates
More informationBuilding the Case for Information Governance in Healthcare
Building the Case for Information Governance in Healthcare Lesley Kadlec MA RHIA Director, HIM Practice Excellence AHIMA #IG NOW @l_kadlec ahima.org/infogov Objectives Define information governance and
More informationWhen HHS Calls, Will Your Plan Be HIPAA Compliant?
When HHS Calls, Will Your Plan Be HIPAA Compliant? Petula Workman, J.D., CEBS Division Vice President Compliance Counsel Gallagher Benefit Services, Inc., Sugar Land, Texas The opinions expressed in this
More informationLaptops, Tablets, Smartphones and HIPAA: An Action Plan to Protect your Practice
Laptops, Tablets, Smartphones and HIPAA: An Action Plan to Protect your Practice Agenda Learning objectives for this session Fundamentals of Mobile device use and correlation to HIPAA compliance HIPAA
More informationMobile Medical Devices and BYOD: Latest Legal Threat for Providers
Presenting a live 90-minute webinar with interactive Q&A Mobile Medical Devices and BYOD: Latest Legal Threat for Providers Developing a Comprehensive Usage Strategy to Safeguard Health Information and
More informationTrust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits
HIPAA Breaches, Security Risk Analysis, and Audits Derrick Hill Senior Health IT Advisor Kentucky REC Why Does Privacy and Security Matter? Trust Who Must Comply with HIPAA Rules? Covered Entities (CE)
More informationOverview of the HIPAA Security Rule
Office of the Secretary Office for Civil Rights () Overview of the HIPAA Security Rule Office for Civil Rights Region IX Alicia Cornish, EOS Sheila Fischer, Supervisory EOS Topics Upon completion of this
More informationUnderstanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions
Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions Table of Contents Understanding HIPAA Privacy and Security... 1 What
More informationTop Ten Technology Risks Facing Colleges and Universities
Top Ten Technology Risks Facing Colleges and Universities Chris Watson, MBA, CISA, CRISC Manager, Internal Audit and Risk Advisory Services cwatson@schneiderdowns.com April 23, 2012 Overview Technology
More informationHIPAA Security Rule Changes and Impacts
HIPAA Security Rule Changes and Impacts Susan A. Miller, JD Tony Brooks, CISA, CRISC HIPAA in a HITECH WORLD American Health Lawyers Association March 22, 2013 Baltimore, MD Agenda I. Introduction II.
More informationFACT SHEET: Ransomware and HIPAA
FACT SHEET: Ransomware and HIPAA A recent U.S. Government interagency report indicates that, on average, there have been 4,000 daily ransomware attacks since early 2016 (a 300% increase over the 1,000
More informationCan Your Diocese Afford to Fail a HIPAA Audit?
Can Your Diocese Afford to Fail a HIPAA Audit? PETULA WORKMAN & PHIL BUSHNELL MAY 2016 2016 ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS Agenda Overview Privacy Security Breach Notification Miscellaneous
More informationWhy Lawyers? Why Now?
TODAY S PRESENTERS Why Lawyers? Why Now? New HIPAA regulations go into effect September 23, 2013 Expands HIPAA safeguarding and breach liabilities for business associates (BAs) Lawyer is considered a business
More information6/17/2013 PRESENTED BY: Updates on HIPAA, Data, IT and Security Technology. June 25, 2013
Updates on HIPAA, Data, IT and Security Technology June 25, 2013 1 The material appearing in this presentation is for informational purposes only and should not be construed as advice of any kind, including,
More informationplantemoran.com What School Personnel Administrators Need to know
plantemoran.com Data Security and Privacy What School Personnel Administrators Need to know Tomorrow s Headline Let s hope not District posts confidential data online (Tech News, May 18, 2007) In one of
More informationElectronic Communication In Your Practice. How To Use Email & Mobile Devices While Maintaining Compliance & Security
Electronic Communication In Your Practice How To Use Email & Mobile Devices While Maintaining Compliance & Security Agenda 1 HIPAA and Electronic Communication 2 3 4 Using Email In Your Practice Mobile
More informationSecurity Is Everyone s Concern:
Security Is Everyone s Concern: What a Practice Needs to Know About ephi Security Mert Gambito Hawaii HIE Compliance and Privacy Officer July 26, 2014 E Komo Mai! This session s presenter is Mert Gambito
More informationAre You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style.
Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style March 27, 2013 www.mcguirewoods.com Introductions Holly Carnell McGuireWoods LLP
More informationUNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14
UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14 RULES Issued August 19, 2009 Requires Covered Entities to notify individuals of a breach as well as HHS without reasonable delay or within
More informationHIPAA Compliance: Are you prepared for the new regulatory changes?
HIPAA Compliance: Are you prepared for the new regulatory changes? Baker Tilly CARIS Innovation, Inc. April 30, 2013 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed
More informationHIPAA Security Rule Compliance
HIPAA Security Rule Compliance Caryn Reiker MAXIS360 HIPAA Security Rule Compliance what is it and why you should be concerned about it Table of Contents About HIPAA... 2 Who Must Comply... 2 The HIPAA
More informationHeather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com
Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com HIPAA Privacy Rule Sets standards for confidentiality and privacy of individually
More informationSupplier Information Security Addendum for GE Restricted Data
Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,
More informationHIPAA PRIVACY AND SECURITY FOR EMPLOYERS
HIPAA PRIVACY AND SECURITY FOR EMPLOYERS Agenda Background and Enforcement HIPAA Privacy and Security Rules Breach Notification Rules HPID Number Why Does it Matter HIPAA History HIPAA Title II Administrative
More information2011 2012 Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec.
The OCR Auditors are coming - Are you next? What to Expect and How to Prepare On June 10, 2011, the U.S. Department of Health and Human Services Office for Civil Rights ( OCR ) awarded KPMG a $9.2 million
More informationMontclair State University. HIPAA Security Policy
Montclair State University HIPAA Security Policy Effective: June 25, 2015 HIPAA Security Policy and Procedures Montclair State University is a hybrid entity and has designated Healthcare Components that
More informationAre You Ready for an OCR Audit? Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS. What would you do? Session Objectives
Are You Ready for an OCR Audit? Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS What would you do? Your organization received a certified letter sent from the Office for Civil Rights (OCR)
More informationDecrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use
Click to edit Master title style Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use Andy Petrovich, MHSA, MPH M-CEITA / Altarum Institute April 8, 2015 4/8/2015 1 1 Who is M-CEITA?
More informationHosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE
Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE [ Hosting for Healthcare: Addressing the Unique Issues of Health IT & Achieving End-to-End Compliance
More informationHIPAA: Protecting Your. Ericka L. Adler. Practice and Your Patients
HIPAA: Protecting Your Ericka L. Adler Practice and Your Patients Rachel V. Rose Fallout from the Omnibus Rule Compliance strategies for medical practices 1. Know / manage your business associates and
More informationGreenway Marketplace. Hear from GSG Compliance & White Plume November 14, 2013
Greenway Marketplace Hear from GSG Compliance & White Plume November 14, 2013 Marketplace Mission Statement To enhance the Greenway customer user experience by offering innovative, forwardthinking technologies
More informationOCR UPDATE Breach Notification Rule & Business Associates (BA)
OCR UPDATE Breach Notification Rule & Business Associates (BA) Alicia Galan Supervisory Equal Opportunity Specialist March 7, 2014 HITECH OMNIBUS A Reminder of What s Included: Final Modifications of the
More informationNationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011
Nationwide Review of CMS s HIPAA Oversight Brian C. Johnson, CPA, CISA Wednesday, January 19, 2011 1 WHAT I DO Manage Region IV IT Audit and Advance Audit Technique Staff (AATS) IT Audit consists of 8
More information2016 OCR AUDIT E-BOOK
!! 2016 OCR AUDIT E-BOOK About BlueOrange Compliance: We specialize in healthcare information privacy and security solutions. We understand that each organization is busy running its business and that
More informationMy Docs Online HIPAA Compliance
My Docs Online HIPAA Compliance Updated 10/02/2013 Using My Docs Online in a HIPAA compliant fashion depends on following proper usage guidelines, which can vary based on a particular use, but have several
More informationThis presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in
This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in the HIPAA Omnibus Rule of 2013. As part of the American
More informationINFORMATION SECURITY & HIPAA COMPLIANCE MPCA
INFORMATION SECURITY & HIPAA COMPLIANCE MPCA Annual Conference August 5, 201 Agenda 1 HIPAA 2 The New Healthcare Paradigm Internal Compliance 4 Conclusion 2 1 HIPAA 1 Earning Their Trust 4 HIPAA 5 Health
More informationHIPAA and Mental Health Privacy:
HIPAA and Mental Health Privacy: What Social Workers Need to Know Presenter: Sherri Morgan, JD, MSW Associate Counsel, NASW Legal Defense Fund and Office of Ethics & Professional Review 2010 National Association
More informationWhat s New with HIPAA? Policy and Enforcement Update
What s New with HIPAA? Policy and Enforcement Update HHS Office for Civil Rights New Initiatives Precision Medicine Initiative (PMI), including Access Guidance Cybersecurity Developer portal NICS Final
More informationSecuring the FOSS VistA Stack HIPAA Baseline Discussion. Jack L. Shaffer, Jr. Chief Operations Officer
Securing the FOSS VistA Stack HIPAA Baseline Discussion Jack L. Shaffer, Jr. Chief Operations Officer HIPAA as Baseline of security: To secure any stack which contains ephi (electonic Protected Health
More informationArt Gross President & CEO HIPAA Secure Now! How to Prepare for the 2015 HIPAA Audits and Avoid Data Breaches
Art Gross President & CEO HIPAA Secure Now! How to Prepare for the 2015 HIPAA Audits and Avoid Data Breaches Speakers Phillip Long CEO at Business Information Solutions Art Gross President & CEO of HIPAA
More informationHIPAA Compliance Guide
HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care
More informationGuidance on Risk Analysis Requirements under the HIPAA Security Rule
Guidance on Risk Analysis Requirements under the HIPAA Security Rule Introduction The Office for Civil Rights (OCR) is responsible for issuing annual guidance on the provisions in the HIPAA Security Rule.
More informationHIPAA 101. March 18, 2015 Webinar
HIPAA 101 March 18, 2015 Webinar Agenda Acronyms to Know HIPAA Basics What is HIPAA and to whom does it apply? What is protected by HIPAA? Privacy Rule Security Rule HITECH Basics Breaches and Responses
More informationData Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, 2014 2:15pm 3:30pm
Electronic Health Records: Data Security and Integrity of e-phi Worcester, MA Wednesday, 2:15pm 3:30pm Agenda Introduction Learning Objectives Overview of HIPAA HIPAA: Privacy and Security HIPAA: The Security
More informationCOMPLIANCE ALERT 10-12
HAWAII HEALTH SYSTEMS C O R P O R A T I O N "Touching Lives Every Day COMPLIANCE ALERT 10-12 HIPAA Expansion under the American Recovery and Reinvestment Act of 2009 The American Recovery and Reinvestment
More informationHealthcare Compliance Solutions
Healthcare Compliance Solutions Let Protected Trust be your Safe Harbor In the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH), the U.S. Department of Health and Human
More informationHIPAA and HITECH Compliance for Cloud Applications
What Is HIPAA? The healthcare industry is rapidly moving towards increasing use of electronic information systems - including public and private cloud services - to provide electronic protected health
More informationHIPAA Update. Presented by: Melissa M. Zambri. June 25, 2014
HIPAA Update Presented by: Melissa M. Zambri June 25, 2014 Timeline of New Rules 2/17/09 - Stimulus Package Enacted 8/24/09 - Interim Final Rule on Breach Notification 10/7/09 - Proposed Rule Regarding
More informationInformation Security Program Management Standard
State of California California Information Security Office Information Security Program Management Standard SIMM 5305-A September 2013 REVISION HISTORY REVISION DATE OF RELEASE OWNER SUMMARY OF CHANGES
More informationUnified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES
Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES HIPAA COMPLIANCE Achieving HIPAA Compliance with Security Professional Services The Health Insurance
More informationHIPAA Requirements and Mobile Apps
HIPAA Requirements and Mobile Apps OCR/NIST 2013 Annual Conference Adam H. Greene, JD, MPH Partner, Washington, DC Use of Smartphones and Tablets Is Growing 2 How Info Sec Sees Smartphones Easily Lost,
More informationHIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist
HIPAA Omnibus Rule Overview Presented by: Crystal Stanton MicroMD Marketing Communication Specialist 1 HIPAA Omnibus Rule - Agenda History of the Omnibus Rule What is the HIPAA Omnibus Rule and its various
More informationIG DG ITG Data Gov IT Gov Info Gov Data Governance vs. Information Governance? Data Gov Info Gov Data Governance vs. Information Governance Data Governance vs. Information Governance Data Facts, Measurements
More informationHIPAA Health & Medical Billing Requirements and Risk Management
May 7, 2013 IT SECURITY, HIPAA PRIVACY AND DISASTER RECOVERY 1 The material appearing in this presentation is for informational purposes only and should not be construed as advice of any kind, including,
More informationSAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION
SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION Please Note: 1. THIS IS NOT A ONE-SIZE-FITS-ALL OR A FILL-IN-THE BLANK COMPLIANCE PROGRAM.
More informationLessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd
Lessons Learned from Recent HIPAA and Big Data Breaches Briar Andresen Katie Ilten Ann Ladd Recent health care breaches Breach reports to OCR as of February 2015 1,144 breaches involving 500 or more individual
More informationHIPAA Security & Compliance
Creative Mind. Creative Heart. Creative Care. 2014 WALA Spring Conference HIPAA Security & Compliance Jeff Grady Thursday, March 27 10:30 am HIPAA Security & Compliance A TIME FOR ACTION Jeff Grady, Senior
More informationHIPAA Security Alert
Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information
More informationHIPAA Compliance Guide
HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care
More informationWhat do you need to know?
What do you need to know? DISCLAIMER Please note that the information provided is to inform our clients and friends of recent HIPAA and HITECH act developments. It is not intended, nor should it be used,
More informationMobile Device Deployments-The Security Dangers of Technology on the Go
Mobile Device Deployments-The Security Dangers of Technology on the Go Presented by Mark Bell, PMP, CISSP, CISA, CHSS OM03 Friday, 10/25/2013 3:45 PM - 5:00 PM Mobile Device Deployments Is Your Organization
More informationAn Independent Member of Baker Tilly International
Healthcare Security and Compliance July 23, 2015 Presenters Kelley Miller, CISA, CISM - Principal Kelley.Miller@mcmcpa.com Barbie Thomas, MBA, CHC Barbie.Thomas@mcmcpa.com 2 Agenda Introductions Cybersecurity
More informationPrivacy & Security. Risk Management Strategies for Healthcare Data. Ohio Hospital Association Centennial Annual Meeting.
Ohio Hospital Association Centennial Annual Meeting Privacy & Security Risk Management Strategies for Healthcare Data Chris Allman, JD Director of Risk Management, Compliance & Insurance Garden City Hospital
More informationIAPP Practical Privacy Series. Data Breach Hypothetical
IAPP Practical Privacy Series Data Breach Hypothetical Presented by: Jennifer L. Rathburn, Partner, Quarles & Brady LLP Frances Wiet, CPO and Assistant General Counsel, Takeda Pharmaceuticals U.S.A., Inc.
More informationEnforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance
Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance Iliana Peters, JD, LLM, HHS Office for Civil Rights Kevin
More informationOCR Reports on the Enforcement. Learning Objectives 4/1/2013. HIPAA Compliance/Enforcement (As of December 31, 2012) HCCA Compliance Institute
OCR Reports on the Enforcement of the HIPAA Rules HCCA Compliance Institute April 22, 2013 David Holtzman Sr. Health IT & Privacy Specialist U.S. Department of Health and Human Services Office for Civil
More informationOCR Reports on the Enforcement. Learning Objectives
OCR Reports on the Enforcement of the HIPAA Rules HCCA Compliance Institute April 22, 2013 David Holtzman Sr. Health IT & Privacy Specialist U.S. Department of Health and Human Services Office for Civil
More informationHIPAA Privacy & Security Rules
HIPAA Privacy & Security Rules HITECH Act Applicability If you are part of any of the HIPAA Affected Areas, this training is required under the IU HIPAA Privacy and Security Compliance Plan pursuant to
More informationHIPAA Security Education. Updated May 2016
HIPAA Security Education Updated May 2016 Course Objectives v This computer-based learning course covers the HIPAA, HITECH, and MSHA Privacy and Security Program which includes relevant Information Technology(IT)
More informationPolicies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification
Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification Type of Policy and Procedure Comments Completed Privacy Policy to Maintain and Update Notice of Privacy Practices
More informationNorth Carolina Health Information Management Association February 20, 2013 Chris Apgar, CISSP
Mobile Device Management Risky Business in Healthcare North Carolina Health Information Management Association February 20, 2013 Chris Apgar, CISSP Agenda HIPAA/HITECH & Mobile Devices Breaches Federal
More informationHIPAA Security Risk Analysis for Meaningful Use
HIPAA Security Risk Analysis for Meaningful Use NOTE: Make sure your computer speakers are turned ON. Audio will be streaming through your speakers. If you do not have computer speakers, call the ACCMA
More informationDatto Compliance 101 1
Datto Compliance 101 1 Overview Overview This document provides a general overview of the Health Insurance Portability and Accounting Act (HIPAA) compliance requirements for Managed Service Providers (MSPs)
More informationDATA SECURITY HACKS, HIPAA AND HUMAN RISKS
DATA SECURITY HACKS, HIPAA AND HUMAN RISKS MSCPA HEALTH CARE SERVICES SEMINAR Ken Miller, CPA, CIA, CRMA, CHC, CISA Senior Manager, Healthcare HORNE LLP September 25, 2015 AGENDA 2015 The Year of the Healthcare
More informationHIPAA LIAISON MEETING PRESENTAITON. August 11, 2015 Leslie J. Pfeffer, BS, CHP University HIPAA Privacy Officer
HIPAA LIAISON MEETING PRESENTAITON August 11, 2015 Leslie J. Pfeffer, BS, CHP University HIPAA Privacy Officer Current State of HIPAA Enforcement Content Contributor Abby Bonjean, Investigator Office for
More informationHealthcare Compliance Solutions
Privacy Compliance Healthcare Compliance Solutions Trust and privacy are essential for building meaningful human relationships. Let Protected Trust be your Safe Harbor The U.S. Department of Health and
More informationHIPAA Compliance. 2013 Annual Mandatory Education
HIPAA Compliance 2013 Annual Mandatory Education What is HIPAA? Health Insurance Portability and Accountability Act Federal Law enacted in 1996 that mandates adoption of Privacy protections for health
More informationHIPAA Update Focus on Breach Prevention
HIPAA Update Focus on Breach Prevention Objectives By the end of this program, participants should be able to: Identify top reasons why breaches occur Review the breach definition and notification process
More informationPreparing for the HIPAA Security Rule
A White Paper for Health Care Professionals Preparing for the HIPAA Security Rule Introduction The Health Insurance Portability and Accountability Act (HIPAA) comprises three sets of standards transactions
More informationNCHICA HITECH Act Breach Notification Risk Assessment Tool. Prepared by the NCHICA Privacy, Security & Legal Officials Workgroup
NCHICA HITECH Act Breach Notification Risk Assessment Tool Prepared by the NCHICA Privacy, Security & Legal Officials Workgroup NORTH CAROLINA HEALTHCARE INFORMATION AND COMMUNICATIONS ALLIANCE, INC August
More informationHIPAA Security Overview of the Regulations
HIPAA Security Overview of the Regulations Presenter: Anna Drachenberg Anna Drachenberg has been assisting healthcare providers and hospitals comply with HIPAA and other federal regulations since 2008.
More informationAGENDA HIP Ho AA w i rivacy d The B reach Happen? I P nc AA Secu dent R rit esp y o nse Corrective Action Plan What We Learned ACRONYMS USED
Michael Almvig Skagit County Information Services Director 1 AGENDA 1 2 HIPAA How Did Privacy The Breach Happen? HIPAA Incident Security Response 3 Corrective Action Plan 4 What We Learned Questions? ACRONYMS
More informationInfoGard Healthcare Services. 2015 InfoGard Laboratories Inc.
InfoGard Healthcare Services 10 Steps To Protect My Covered Entity From Breach Your Presenters Alan Martin Account Manger Marvin Byrd Security Engineer Test and Certification Laboratory Healthcare Payment
More informationEncyclopedia of Information Assurance Suggested Titles: March 25, 2013 The following titles have not been contracted.
Encyclopedia of Information Assurance Suggested Titles: March 25, 2013 The following titles have not been contracted. Administrative Awareness Case Study: Government Offices Certification and Accreditation:
More informationADMINISTRATORS SERIES PRIVACY AND SECURITY AT UF. Cheryl Granto Information Security Manager, UFIT Information Security
ADMINISTRATORS SERIES PRIVACY AND SECURITY AT UF Susan Blair Chief Privacy Officer Cheryl Granto Information Security Manager, UFIT Information Security RULES OF THE ROAD Information Highway Danger Zones
More informationLegal Issues in Medical Office Use of Social Media. James F. Doherty, Jr. Pecore & Doherty, LLC Columbia, Maryland
Legal Issues in Medical Office Use of Social Media James F. Doherty, Jr. Pecore & Doherty, LLC Columbia, Maryland Legal Issues in Social Media for Physician Practices HIPAA/State Confidentiality laws State
More information03/06/2014. Bring Your Own Device: A Framework for Audit. Acknowledgement
Bring Your Own Device: A Framework for Audit Emily A Knopp, CPA, CISA Audit Director Angelo State University, Member of Texas Tech University System March 6, 2014 Texas Association of College of University
More informationSecurely Yours LLC IT Hot Topics. Sajay Rai, CPA, CISSP, CISM sajayrai@securelyyoursllc.com
Securely Yours LLC IT Hot Topics Sajay Rai, CPA, CISSP, CISM sajayrai@securelyyoursllc.com Contents Background Top Security Topics What auditors must know? What auditors must do? Next Steps [Image Info]
More informationPREP Course #25: Hot Topics in Cyber Security and Database Security. Presented by: Joe Baskin Manager, Information Security, OCIO JBaskin@nshs.
PREP Course #25: Hot Topics in Cyber Security and Database Security Presented by: Joe Baskin Manager, Information Security, OCIO JBaskin@nshs.edu Objectives Discuss hot topics in cyber security and database
More informationOur Commitment to Information Security
Our Commitment to Information Security What is HIPPA? Health Insurance Portability and Accountability Act 1996 The HIPAA Privacy regulations require health care providers and organizations, as well as
More informationData Security Considerations for Research
Data Security Considerations for Research Institutional Review Board Annual Education May 8, 2012 1 PRIVACY vs. SECURITY What s the Difference?: PRIVACY Refers to WHAT is protected Health information about
More informationSecurity Compliance, Vendor Questions, a Word on Encryption
Security Compliance, Vendor Questions, a Word on Encryption Alexis Parsons, RHIT, CPC, MA Director, Health Information Services Security/Privacy Officer Shasta Community Health Center aparsons@shastahealth.org
More informationCommunity First Health Plans Breach Notification for Unsecured PHI
Community First Health Plans Breach Notification for Unsecured PHI The presentation is for informational purposes only. It is the responsibility of the Business Associate to ensure awareness and compliance
More informationData Security Breaches: Learn more about two new regulations and how to help reduce your risks
Data Security Breaches: Learn more about two new regulations and how to help reduce your risks By Susan Salpeter, Vice President, Zurich Healthcare Risk Management News stories about data security breaches
More information