HIPAA: Compliance Essentials

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "HIPAA: Compliance Essentials"

Transcription

1 HIPAA: Compliance Essentials Presented by: Health Security Solutions August 15, 2014

2 What is HIPAA??

3 HIPAA is Law that governs a person s ability to qualify immediately for health coverage when they change employment (dependent on employer s program)? Rules for Data Interchange Regulations protecting the security and privacy of Protected Health Information (PHI)

4 Privacy vs Security Privacy Rules Establishes the rights of patients to control the use of personal information in all its forms verbal, written, electronic Security Rules Administrative, Physical and Technical safeguards for PHI in digital form (ephi)

5 CIA Confidentiality, Integrity, Availability Confidentiality: The property that data or information is not made available or disclosed to an unauthorized person Integrity: The property that data or information has not been altered or destroyed in an unauthorized manner Availability: The property that data or information is accessible and useable upon demand by an authorized person

6 Structure of the Security Rule Standards the broad security requirements The standards are required Implementation Specifications The more detailed instructions contained within each Standard Some are required (R) Some are addressable (A) flexibility and latitude in meeting Based on what s reasonable and appropriate

7 Defining Reasonable and Appropriate The size and complexity and capabilities of the covered entity The covered entity's technical infrastructure, hardware, and software security capabilities The costs of security measures The probability and criticality of potential risks to ephi

8 Options for Addressable Specifications Implement the specification Implement one or more alternative security measures Do not implement either an addressable implementation specification or an alternative DOCUMENT YOUR DECISION!

9 Three Types of Safeguards 1. ADMINISTRATIVE Organizational Rules and Procedures 9 Standards 23 Implementation Specification 2. PHYSICAL Physical Protections and Rules 4 Standards 10 Implementation Specifications 3. TECHNICAL Technology Protections and Rules 5 Standards 9 Implementation Standards

10 Administrative Safeguards are defined as Actions, policies and procedures to manage the selection, development, implementation, and maintenance of security measures and manage the conduct of the covered entity s workforce.

11 Administrative Safeguards Security Management Process Assigned Security Responsibility (no spec) (R) Workforce Security Information Access Management Security Awareness and Training Security Incident Procedures Contingency Plan Evaluation (no spec) (R) Business Associates Contracts (R)

12

13 Physical Safeguards are defined as Physical measures, policies, and procedures to protect a covered entity s electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion.

14 Physical Safeguards Facility Access Controls Workstation Use (no spec) (R) Workstation Security (no spec) (R) Device and Media Controls

15 Technical Safeguards are defined as The technology and the policy and procedures for its use that protect electronic protected health information and control access to it.

16 Access Controls Technical Safeguards Audit Controls (no spec) (R) Integrity (R) Person or Entity Authentication (no spec) (R) Transmission Security

17 Options for Risk Management Avoid Do not participate in the risk Reduce Mitigate the causes of risk Transfer Insure against the risk Accept Assume and budget for the risk

18 Elements of an Effective Compliance Program 1. Leadership 2. Policies and Procedures 3. Risk Analysis 4. Education and Training 5. Monitoring and Auditing 6. Response and Reporting 7. Enforcement

19 Levels of compliance 1. Non-compliant 2. Compliant on paper 3. Compliant in practice 4. That is documented, and can be verified and proven

20 Documentation Requirement Implement reasonable and appropriate policies and procedures to comply with the standards Maintain the policies in written form (not verbal) Maintain written record of the action, activity or assessment Must be kept for 6 years Must be made available for those for which the document pertains Periodically review the documentation

21 In a Nutshell: Compliance is 1. Having Written Policies and Procedures 2. That are mapped to the regulations 3. That reflect the findings of your risk analysis 4. That are followed 5. And can be proven via a paper trail of forms, reports, logs, etc.

22 Example #1: Employee Termination Policy Checklist Document

23

24

25 Two BIG Gray Areas 1. Addressable safeguards Based on the Reasonable and Appropriate standard 2. Risk Analysis findings and results

26 The First Step: Risk Analysis Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information

27 Meaningful Use and Risk Analysis MEANINGFUL USE CRITERIA #12 Provide patients with electronic copy of their health information upon request #13 Provide clinical summaries for patients for each offic # 14 Perform at least one test of certified EHR technica #15 Conduct or review a Security Risk Analysis per 45 CFR Conduct or review a Security Risk Analysis per 45 CFR (a)(1) and implement security updates as necessary.

28 Security Risk Analysis and Meaningful Use Meaningful Use Core Requirement # 15 Conduct or review a Security Risk Analysis per 45 CFR (a)(1) and implement security updates as necessary CFR 164 directly references the HIPAA Administrative Standards

29 In Other Words HIPAA Risk Analysis MU Risk Analysis

30 Stage 1 vs Stage 2 Stage 1 CR# 14 or 15: Conduct or review a security risk analysis in accordance with the requirements under 45 CFR (a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process. Stage 2 CR# 9 or 7: Conduct or review a security risk analysis in accordance with the requirements under 45 CFR (a)(1), including addressing the encryption/security of data stored in CEHRT in accordance with requirements under 45 CFR (a)(2)(iv) and 45 CFR (d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the provider's risk management process for eligible hospitals.

31 Stage 2 Thoughts 45 CFR (a)(2)(iv) Encryption and Decryption safeguard of the Access Control standard Does Not Change HIPAA Standards (d)(3) regards implementation specifications and addressable safeguards the reasonable and appropriate standards still apply Biggest burden is on EHR vendors EHR vendors required to deliver software in an encrypted state Software must require administrative level privileges to disable encryption New language regarding Risk Management Reference to the Security Management Process Standard

32 HIPAA Verbiage Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information

33 Why Security Risk Analysis? Improves Awareness Justification for Reasonable and Appropriate for Addressable Implementation Specifications Identify assets, vulnerabilities and controls Improved basis for decision making Justify Expenditures for Security Helps determine personnel access levels Otherwise you are just guessing!

34 A Risk Analysis Should Identify IT Assets that touch ephi Clarify ephi flows: into, within, out of Determine policy compliance (regulatory map) Identify and categorize risk to the CIA of ephi Recommend and rank standards and controls for remediating, mitigating and managing risks

35 #1 How to Conduct a Security Risk Analysis? NIST SP Guidance on Risk Assessment SP Resource Guide for Implementing HIPAA Audit Protocol June 2012 ONC Guide to Privacy and Security of HIT Myths and Facts (p.11)

36 ONC Guide to Privacy and Security: Security Risk Analysis Myths and Facts Myths Optional for small providers Installing a certified EHR is enough My EHR vendor is handling this A checklist will suffice Only needs to look at EHR I must outsource the risk analysis. Facts No. All eligible providers (EP) No. The risk analysis must look at all systems with ephi No. EP s are solely responsible for the risk aynalyis No. While useful, they are inadaquate No. All IT assets processing, storing, accessing ephi No. You can conduct this yourself.

37 ONC on Outsourcing P. 17 Select a qualified professional to assist you with the security risk analysis. If you need to, outsource this to a professional, a qualified professional s expertise and focused attention will yield quicker and more reliable results than if your staff does it piecemeal over several months.

38 NIST Process Diagram

39 NIST: Preparation Identify: Purpose Scope Assumptions and Constraints Sources of Information Risk Model and Analytic Approach

40 NIST: Conducting Identify threat sources Identify threat events Identify vulnerabilities Determine likelihood Determine impacts Determine ranking (pairing)

41 Step by Step Guide - Determine the Level of Risk 19. Rank overall risk based on the vulnerability pairings

42 Common Errors Checklists only No inventory Compliance focused only No listing or ranking of risks No recommended controls or mitigation actions Not dated within reporting period for MU

43 Key Auditor Considerations Reference ONC and HHS guidance and Adequately covers risk associated with the use of certified EHR technology Conducted by either audited entity or a consultant (not EHR vendor affirmations) Is it just compliance/checklist or an actual assessment of risks Needs to be dated but can reference a previous risk assessment that shows continued improvement

44 Self assessment tools Problems Not intended for enterprises Hard to use Aren t very good at identifying risks Requires expert knowledge to use well Compliance rather than risk focused NIST not required by nonfederal entities Available Tools: Not Recommended HHS Toolkit NIST Toolkit Use with caution National Learning Consortium HIMSS

45 RA Mini Project Plan Identify team Inventory and Asset List Information Flows Network diagram and system boundary -risk categorization Interfaces inventory Policy review and mapping Security incidents review Training materials review Vulnerability scan and penetration testing Wireless security assessment Firewall/Gateway settings Physical security assessment Contingency plan and backup analysis Leadership analysis Authentication and access controls Encryption determination Transmission security Mobile device security Risk identification and ranking Report-mitigation & controls

46 Risk Assessment Review Only if no significant changes in system or operating environment Full risk analysis should be conducted every 2 to 3 years Iterative (changes since last risk assessment) Document changes Update inventory Review incidences and do root cause analysis Work-flow analysis New vulnerability scans inc. external Review of prior technical assessment (wireless security, authentication and access controls, audit controls, and processes, etc) Progress implementing controls Update risk matrix Recommend and advise on additional security controls Update the security management plan

47 Example: Addressable Safeguard Encryption Class of device laptop, workstation, etc. Laptops portable, battery Mobility and physical security Data storage Performance Alternatives

48 Ranking of Devices 1. Server in a data center 2. Server not in a datacenter 3. Workstations with thin client 4. Non-mobile laptops with thin client 5. Workstations with fat client 6. Mobile laptops with thin client 7. Mobile laptops with fat client

49 Example: Non-regulatory high risk from risk analysis Windows XP EOL April 8th Support being discontinued Devices increasingly vulnerable Regulatory compliance impact?

50 Windows XP EOL Mitigation Options Use of XP machines only for essential applications Repurpose assets to non-sensitive data Ensure and update software for use with XP Discontinuing use of applications that open files from the internet Discontinuing use of Internet Explorer Disconnecting XP machines from the network Increased frequency of vulnerability scans Use web-content filtering to block access to known malicious sites Re-architect assets to thin client Improve network gateway security Replace hardware or upgrade to new OS

51 Closing Thoughts Pulling It All Together Integrate into your business practices Automate as much as possible Application Use active directory and other network tools Define and understand vendors roles Create and use checklists Period based monthly, quarterly, annually Event based new hires, new software, etc Consider outsourcing

52 Your HIPAA Compliance Partner

53 Contact Information: Steve Spearman

Sunday March 30, 2014, 9am noon HCCA Conference, San Diego

Sunday March 30, 2014, 9am noon HCCA Conference, San Diego Meaningful Use as it Relates to HIPAA Compliance Sunday March 30, 2014, 9am noon HCCA Conference, San Diego CLAconnect.com Objectives and Agenda Understand the statutory and regulatory background and purpose

More information

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use Click to edit Master title style Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use Andy Petrovich, MHSA, MPH M-CEITA / Altarum Institute April 8, 2015 4/8/2015 1 1 Who is M-CEITA?

More information

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 5. 2. Security Standards - Organizational, Security Policies Standards & Procedures, - Administrative and Documentation Safeguards

More information

Overview of the HIPAA Security Rule

Overview of the HIPAA Security Rule Office of the Secretary Office for Civil Rights () Overview of the HIPAA Security Rule Office for Civil Rights Region IX Alicia Cornish, EOS Sheila Fischer, Supervisory EOS Topics Upon completion of this

More information

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics HIPAA SERIES Topics 1. 101 for Covered Entities 2. Standards - Administrative Safeguards 3. Standards - Physical Safeguards 4. Standards - Technical Safeguards 5. Standards - Organizational, Policies &

More information

Privacy and Security Meaningful Use Requirement HIPAA Readiness Review

Privacy and Security Meaningful Use Requirement HIPAA Readiness Review Privacy and Security Meaningful Use Requirement HIPAA Readiness Review REACH - Achieving - Achieving meaningful meaningful use of your use EHR of your EHR Patti Kritzberger, RHIT, CHPS ND e-health Summit

More information

2/27/2014. Meaningful Use as it Relates to HIPAA Compliance. Objectives and Agenda. Understand the statutory and regulatory background and purpose

2/27/2014. Meaningful Use as it Relates to HIPAA Compliance. Objectives and Agenda. Understand the statutory and regulatory background and purpose Meaningful Use as it Relates to HIPAA Compliance Sunday March 30, 2014, 9am noon HCCA Conference, San Diego CLAconnect.com Objectives and Agenda Understand the statutory and regulatory background and purpose

More information

HIPAA Security Risk Analysis for Meaningful Use

HIPAA Security Risk Analysis for Meaningful Use HIPAA Security Risk Analysis for Meaningful Use NOTE: Make sure your computer speakers are turned ON. Audio will be streaming through your speakers. If you do not have computer speakers, call the ACCMA

More information

HIPAA Security Series

HIPAA Security Series 7 Security Standards: Implementation for the Small Provider What is the Security Series? The security series of papers provides guidance from the Centers for Medicare & Medicaid Services (CMS) on the rule

More information

Securing the FOSS VistA Stack HIPAA Baseline Discussion. Jack L. Shaffer, Jr. Chief Operations Officer

Securing the FOSS VistA Stack HIPAA Baseline Discussion. Jack L. Shaffer, Jr. Chief Operations Officer Securing the FOSS VistA Stack HIPAA Baseline Discussion Jack L. Shaffer, Jr. Chief Operations Officer HIPAA as Baseline of security: To secure any stack which contains ephi (electonic Protected Health

More information

2011 2012 Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec.

2011 2012 Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec. The OCR Auditors are coming - Are you next? What to Expect and How to Prepare On June 10, 2011, the U.S. Department of Health and Human Services Office for Civil Rights ( OCR ) awarded KPMG a $9.2 million

More information

CHIS, Inc. Privacy General Guidelines

CHIS, Inc. Privacy General Guidelines CHIS, Inc. and HIPAA CHIS, Inc. provides services to healthcare facilities and uses certain protected health information (PHI) in connection with performing these services. Therefore, CHIS, Inc. is classified

More information

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011 Nationwide Review of CMS s HIPAA Oversight Brian C. Johnson, CPA, CISA Wednesday, January 19, 2011 1 WHAT I DO Manage Region IV IT Audit and Advance Audit Technique Staff (AATS) IT Audit consists of 8

More information

HIPAA Security COMPLIANCE Checklist For Employers

HIPAA Security COMPLIANCE Checklist For Employers Compliance HIPAA Security COMPLIANCE Checklist For Employers All of the following steps must be completed by April 20, 2006 (April 14, 2005 for Large Health Plans) Broadly speaking, there are three major

More information

Developing HIPAA Security Compliance. Trish Lugtu CPHIMS, CHP, CHSS Health IT Consultant

Developing HIPAA Security Compliance. Trish Lugtu CPHIMS, CHP, CHSS Health IT Consultant Developing HIPAA Security Compliance Trish Lugtu CPHIMS, CHP, CHSS Health IT Consultant Learning Objectives Identify elements of a HIPAA Security compliance program Learn the HIPAA Security Rule basics

More information

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics HIPAA Security S E R I E S Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical

More information

HIPAA Security Alert

HIPAA Security Alert Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information

More information

HIPAA Compliance Guide

HIPAA Compliance Guide HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care

More information

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Table of Contents Introduction... 1 1. Administrative Safeguards...

More information

How to Use the NYeC Privacy and Security Toolkit V 1.1

How to Use the NYeC Privacy and Security Toolkit V 1.1 How to Use the NYeC Privacy and Security Toolkit V 1.1 Scope of the Privacy and Security Toolkit The tools included in the Privacy and Security Toolkit serve as guidance for educating stakeholders about

More information

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice Appendix 4-2: Administrative, Physical, and Technical Safeguards Breach Notification Rule How Use this Assessment The following sample risk assessment provides you with a series of sample questions help

More information

Richard Gadsden Information Security Office Office of the CIO Information Services

Richard Gadsden Information Security Office Office of the CIO Information Services Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO Information Services Sharon Knowles Information Assurance Compliance MUSC Medical Center

More information

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE How to Use this Assessment The following risk assessment provides you with a series of questions to help you prioritize the development and implementation

More information

Meaningful Use Audits. NextGen Physician Consulting Services

Meaningful Use Audits. NextGen Physician Consulting Services Meaningful Use Audits NextGen Physician Consulting Services Agenda Audit Overview Documentation for measures requiring numerator and denominator data Documentation for attestation only measures Security

More information

MEANINGFUL USE DESK AUDIT

MEANINGFUL USE DESK AUDIT MEANINGFUL USE DESK AUDIT October 2015 Protect Electronic Health Information HIPAA Risk Management 1680 E. Joyce Blvd Fayetteville, AR 72704 (800) 501-8973 www.hipaarisk.com Copyright 2015 by HRM Services,

More information

Cybersecurity Health Check At A Glance

Cybersecurity Health Check At A Glance This cybersecurity health check provides a quick view of compliance gaps and is not intended to replace a professional HIPAA Security Risk Analysis. Failing to have more than five security measures not

More information

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits HIPAA Breaches, Security Risk Analysis, and Audits Derrick Hill Senior Health IT Advisor Kentucky REC Why Does Privacy and Security Matter? Trust Who Must Comply with HIPAA Rules? Covered Entities (CE)

More information

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com HIPAA Privacy Rule Sets standards for confidentiality and privacy of individually

More information

Meaningful Use Crosswalk to the Security Rule

Meaningful Use Crosswalk to the Security Rule Meaningful Use Crosswalk to the Security Rule Safeguarding Health Information: Building Assurance through HIPAA Security June 7, 2012 Adam H. Greene, J.D., M.P.H. Partner, Davis Wright Tremaine EHR Certification

More information

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, 2014 2:15pm 3:30pm

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, 2014 2:15pm 3:30pm Electronic Health Records: Data Security and Integrity of e-phi Worcester, MA Wednesday, 2:15pm 3:30pm Agenda Introduction Learning Objectives Overview of HIPAA HIPAA: Privacy and Security HIPAA: The Security

More information

OIG Security Audit: What You Need To Know

OIG Security Audit: What You Need To Know Watch the Replay on YouTube OIG Security Audit: What You Need To Know Executive Series Webinar July 23rd, 2015 Today s Speakers Elana R. Zana Attorney & Author Ogden Murphy Wallace P.L.L.C. ezana@omwlaw.com

More information

The Second National HIPAA Summit

The Second National HIPAA Summit HIPAA Security Regulations: Documentation and Procedures The Second National HIPAA Summit Healthcare Computing Strategies, Inc. John Parmigiani Practice Director, Compliance Programs Tom Walsh, CISSP Practice

More information

SECURITY RISK ASSESSMENT SUMMARY

SECURITY RISK ASSESSMENT SUMMARY Providers Business Name: Providers Business Address: City, State, Zip Acronyms NIST FIPS PHI EPHI BA CE EHR HHS IS National Institute of Standards and Technology Federal Information Process Standards Protected

More information

Network Detective. HIPAA Compliance Module. 2015 RapidFire Tools, Inc. All rights reserved V20150201

Network Detective. HIPAA Compliance Module. 2015 RapidFire Tools, Inc. All rights reserved V20150201 Network Detective 2015 RapidFire Tools, Inc. All rights reserved V20150201 Contents Purpose of this Guide... 3 About Network Detective... 3 Overview... 4 Creating a Site... 5 Starting a HIPAA Assessment...

More information

Penetration Testing and Vulnerability Scanning

Penetration Testing and Vulnerability Scanning Penetration Testing and Vulnerability Scanning Presented by Steve Spearman VP of HIPAA Compliance Services, Healthicity 20 years in Health Information Technology HIPAA Expert and Speaker Disclaimer: Nothing

More information

Telemedicine HIPAA/HITECH Privacy and Security

Telemedicine HIPAA/HITECH Privacy and Security Telemedicine HIPAA/HITECH Privacy and Security 1 Access Control Role Based Access The organization shall provide secure rolebased account management. Privileges granted utilizing the principle of least

More information

Meaningful Use and Core Requirement 15

Meaningful Use and Core Requirement 15 Meaningful Use and Core Requirement 15 How can I comply the lack of time and staff... www.compliancygroup.com 1 Meaningful Use and Core Requirement 15 Meaningful Use Protection of Protected Health Information

More information

HIPAA Security Rule Compliance

HIPAA Security Rule Compliance HIPAA Security Rule Compliance Caryn Reiker MAXIS360 HIPAA Security Rule Compliance what is it and why you should be concerned about it Table of Contents About HIPAA... 2 Who Must Comply... 2 The HIPAA

More information

Privacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by:

Privacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by: HIPAA Privacy Officer Orientation Presented by: Cathy Montgomery, RN Privacy Officer Job Description Serve as leader Develop Policies and Procedures Train staff Monitor activities Manage Business Associates

More information

IBM Internet Security Systems. The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview

IBM Internet Security Systems. The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview IBM Internet Security Systems The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview Health Insurance Portability and Accountability Act

More information

Critical Controls for Cyber Security. www.infogistic.com

Critical Controls for Cyber Security. www.infogistic.com Critical Controls for Cyber Security www.infogistic.com Understanding Risk Asset Threat Vulnerability Managing Risks Systematic Approach for Managing Risks Identify, characterize threats Assess the vulnerability

More information

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES HIPAA COMPLIANCE Achieving HIPAA Compliance with Security Professional Services The Health Insurance

More information

WHITEPAPER XMEDIUSFAX CLOUD FOR HEALTHCARE AND HIPAA COMPLIANCE

WHITEPAPER XMEDIUSFAX CLOUD FOR HEALTHCARE AND HIPAA COMPLIANCE WHITEPAPER XMEDIUSFAX CLOUD FOR HEALTHCARE AND HIPAA COMPLIANCE INTRODUCTION The healthcare industry is driven by many specialized documents. Each day, volumes of critical information are sent to and from

More information

2/9/2012. 2012 HIPAA Privacy and Security Audit Readiness. Table of contents

2/9/2012. 2012 HIPAA Privacy and Security Audit Readiness. Table of contents 2012 HIPAA Privacy and Security Audit Readiness Mark M. Johnson National HIPAA Services Director Table of contents Page Background 2 Regulatory Background and HITECH Impacts 3 Office of Civil Rights (OCR)

More information

HIPAA Security. 6 Basics of Risk Analysis and Risk Management. Security Topics

HIPAA Security. 6 Basics of Risk Analysis and Risk Management. Security Topics HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical

More information

Are You Ready for an OCR Audit? Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS. What would you do? Session Objectives

Are You Ready for an OCR Audit? Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS. What would you do? Session Objectives Are You Ready for an OCR Audit? Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS What would you do? Your organization received a certified letter sent from the Office for Civil Rights (OCR)

More information

HIPAA Compliance Review Analysis and Summary of Results

HIPAA Compliance Review Analysis and Summary of Results HIPAA Compliance Review Analysis and Summary of Results Centers for Medicare & Medicaid Services (CMS) Office of E-Health Standards and Services (OESS) Reviews 2008 Table of Contents Introduction 1 Risk

More information

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER With technology everywhere we look, the technical safeguards required by HIPAA are extremely important in ensuring that our information

More information

HIPAA Risk Analysis By: Matthew R. Johnson GIAC HIPAA Security Certificate (GHSC) Practical Assignment Version 1.0 Date: April 12, 2004

HIPAA Risk Analysis By: Matthew R. Johnson GIAC HIPAA Security Certificate (GHSC) Practical Assignment Version 1.0 Date: April 12, 2004 HIPAA Risk Analysis By: Matthew R. Johnson GIAC HIPAA Security Certificate (GHSC) Practical Assignment Version 1.0 Date: April 12, 2004 Table of Contents Abstract... 3 Assignment 1 Define the Environment...

More information

YOUR HIPAA RISK ANALYSIS IN FIVE STEPS

YOUR HIPAA RISK ANALYSIS IN FIVE STEPS Ebook YOUR HIPAA RISK ANALYSIS IN FIVE STEPS A HOW-TO GUIDE FOR YOUR HIPAA RISK ANALYSIS AND MANAGEMENT PLAN 2015 SecurityMetrics YOUR HIPAA RISK ANALYSIS IN FIVE STEPS 1 YOUR HIPAA RISK ANALYSIS IN FIVE

More information

Guidance on Risk Analysis Requirements under the HIPAA Security Rule

Guidance on Risk Analysis Requirements under the HIPAA Security Rule Guidance on Risk Analysis Requirements under the HIPAA Security Rule Introduction The Office for Civil Rights (OCR) is responsible for issuing annual guidance on the provisions in the HIPAA Security Rule.

More information

HIPAA Email Compliance & Privacy. What You Need to Know Now

HIPAA Email Compliance & Privacy. What You Need to Know Now HIPAA Email Compliance & Privacy What You Need to Know Now Introduction The Health Insurance Portability and Accountability Act of 1996 (HIPAA) places a number of requirements on the healthcare industry

More information

HIPAA Audits: How to Be Prepared. Lindsey Wiley, MHA, CHTS-IM, CHTS-TS HIT Manager Oklahoma Foundation for Medical Quality

HIPAA Audits: How to Be Prepared. Lindsey Wiley, MHA, CHTS-IM, CHTS-TS HIT Manager Oklahoma Foundation for Medical Quality HIPAA Audits: How to Be Prepared Lindsey Wiley, MHA, CHTS-IM, CHTS-TS HIT Manager Oklahoma Foundation for Medical Quality An Important Reminder For audio, you must use your phone: Step 1: Call (866) 906-0123.

More information

VMware vcloud Air HIPAA Matrix

VMware vcloud Air HIPAA Matrix goes to great lengths to ensure the security and availability of vcloud Air services. In this effort VMware has completed an independent third party examination of vcloud Air against applicable regulatory

More information

HIPAA Privacy & Security White Paper

HIPAA Privacy & Security White Paper HIPAA Privacy & Security White Paper Sabrina Patel, JD +1.718.683.6577 sabrina@captureproof.com Compliance TABLE OF CONTENTS Overview 2 Security Frameworks & Standards 3 Key Security & Privacy Elements

More information

HIPAA Audit Processes HIPAA Audit Processes. Erik Hafkey Rainer Waedlich

HIPAA Audit Processes HIPAA Audit Processes. Erik Hafkey Rainer Waedlich HIPAA Audit Processes Erik Hafkey Rainer Waedlich 1 Policies for all HIPAA relevant Requirements and Regulations Checklist for an internal Audit Process Documentation of the compliance as Preparation for

More information

HIPAA Compliance Evaluation Report

HIPAA Compliance Evaluation Report Jun29,2016 HIPAA Compliance Evaluation Report Custom HIPAA Risk Evaluation provided for: OF Date of Report 10/13/2014 Findings Each section of the pie chart represents the HIPAA compliance risk determinations

More information

2016 OCR AUDIT E-BOOK

2016 OCR AUDIT E-BOOK !! 2016 OCR AUDIT E-BOOK About BlueOrange Compliance: We specialize in healthcare information privacy and security solutions. We understand that each organization is busy running its business and that

More information

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This

More information

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES CONTENTS Introduction 3 Brief Overview of HIPPA Final Omnibus Rule 3 Changes to the Definition of Business Associate

More information

Sustainable Compliance: A System for Ongoing Audit Readiness

Sustainable Compliance: A System for Ongoing Audit Readiness View the Replay on YouTube Sustainable Compliance: A System for Ongoing Audit Readiness FairWarning Executive Webinar Series November 14, 2013 Agenda Sustainable Compliance at St. Charles Health System

More information

Mapping to HIPAA Audit Protocols

Mapping to HIPAA Audit Protocols Mapping to HIPAA Audit Protocols In June 2011, KPMG was awarded the contract to conduct HIPAA audits and develop an audit protocol on behalf of Health and Human Services (HHS) Office for Civil Rights (OCR).

More information

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS Thank you for taking the time to fill out the privacy & security checklist. Once completed, this checklist will help us get a better

More information

New HIPAA regulations require action. Are you in compliance?

New HIPAA regulations require action. Are you in compliance? New HIPAA regulations require action. Are you in compliance? Mary Harrison, JD Tami Simon, JD May 22, 2013 Discussion topics Introduction Remembering the HIPAA Basics HIPAA Privacy Rules HIPAA Security

More information

University of Wisconsin-Madison Policy and Procedure

University of Wisconsin-Madison Policy and Procedure Page 1 of 14 I. Policy II. A. The, the units of the UW-Madison Health Care Component and each individual or unit within UW-Madison that is a Business Associate of a covered entity (hereafter collectively

More information

HIPAA 203: Security. An Introduction to the Draft HIPAA Security Regulations

HIPAA 203: Security. An Introduction to the Draft HIPAA Security Regulations HIPAA 203: Security An Introduction to the Draft HIPAA Security Regulations Presentation Agenda Security Introduction Security Component Requirements and Impacts Administrative Procedures Physical Safeguards

More information

Datto Compliance 101 1

Datto Compliance 101 1 Datto Compliance 101 1 Overview Overview This document provides a general overview of the Health Insurance Portability and Accounting Act (HIPAA) compliance requirements for Managed Service Providers (MSPs)

More information

HIPAA COMPLIANCE PLAN FOR 2013

HIPAA COMPLIANCE PLAN FOR 2013 HIPAA COMPLIANCE PLAN FOR 2013 Welcome! Presentor is Rebecca Morehead, Practice Manager Strategist www.practicemanagersolutions.com Meaningful Use? As a way to encourage hospitals and providers to adopt

More information

Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance

Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance Iliana Peters, JD, LLM, HHS Office for Civil Rights Kevin

More information

HIPAA Compliance Guide

HIPAA Compliance Guide HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care

More information

Security. aspen advisors. An Often Overlooked Meaningful Use Requirement. July 2011

Security. aspen advisors. An Often Overlooked Meaningful Use Requirement. July 2011 Security An Often Overlooked Meaningful Use Requirement July 2011 aspen advisors Table of Contents Why Perform a Risk Analysis?... 1 How to Conduct a Risk Analysis?... 1 When to do a Risk Analysis?...

More information

Application Security Questionnaire. Application Name Vendor Version Release Date. Name Title Department. Company Name Telephone #

Application Security Questionnaire. Application Name Vendor Version Release Date. Name Title Department. Company Name Telephone # Instructions: Check the appropriate column to indicate the application s security capabilities. Please provide any additional responses or detailed explanations of other compensating controls as comments.

More information

U.S. Department of Health and Human Services (HHS) The Office of the National Coordinator for Health Information Technology (ONC)

U.S. Department of Health and Human Services (HHS) The Office of the National Coordinator for Health Information Technology (ONC) U.S. Department of Health and Human Services (HHS) The Office of the National Coordinator for Health Information Technology (ONC) Security Risk Assessment (SRA) Tool User Guide Version Date: March 2014

More information

HIPAA and HITECH Compliance for Cloud Applications

HIPAA and HITECH Compliance for Cloud Applications What Is HIPAA? The healthcare industry is rapidly moving towards increasing use of electronic information systems - including public and private cloud services - to provide electronic protected health

More information

Meaningful Use and Security Risk Analysis

Meaningful Use and Security Risk Analysis Meaningful Use and Security Risk Analysis Meeting the Measure Security in Transition Executive Summary Is your organization adopting Meaningful Use, either to gain incentive payouts or to avoid penalties?

More information

Health Insurance Portability and Accountability Act Enterprise Compliance Auditing & Reporting ECAR for HIPAA Technical Product Overview Whitepaper

Health Insurance Portability and Accountability Act Enterprise Compliance Auditing & Reporting ECAR for HIPAA Technical Product Overview Whitepaper Regulatory Compliance Solutions for Microsoft Windows IT Security Controls Supporting DHS HIPAA Final Security Rules Health Insurance Portability and Accountability Act Enterprise Compliance Auditing &

More information

HIPAA Compliance: Are you prepared for the new regulatory changes?

HIPAA Compliance: Are you prepared for the new regulatory changes? HIPAA Compliance: Are you prepared for the new regulatory changes? Baker Tilly CARIS Innovation, Inc. April 30, 2013 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed

More information

Data Security and Healthcare

Data Security and Healthcare Data Security and Healthcare Complex data flows Millions of electronic medical records across many systems New and emerging business relationships Changing and maturing compliance frameworks Diverse population

More information

Security Is Everyone s Concern:

Security Is Everyone s Concern: Security Is Everyone s Concern: What a Practice Needs to Know About ephi Security Mert Gambito Hawaii HIE Compliance and Privacy Officer July 26, 2014 E Komo Mai! This session s presenter is Mert Gambito

More information

Healthcare IT (HIT) Strategic Planning & Budgeting MARCH 26, 2014

Healthcare IT (HIT) Strategic Planning & Budgeting MARCH 26, 2014 Healthcare IT (HIT) Strategic Planning & Budgeting MARCH 26, 2014 Agenda Introduction / Session Overview HIT Budgeting 101 Security and Compliance EHR budgeting HIT Where Are We Going Q & A 2 Copyright

More information

The HIPAA Security Rule Primer Compliance Date: April 20, 2005

The HIPAA Security Rule Primer Compliance Date: April 20, 2005 AMERICAN PSYCHOLOGICAL ASSOCIATION PRACTICE ORGANIZATION Practice Working for You The HIPAA Security Rule Primer Compliance Date: April 20, 2005 Printer-friendly PDF 1 Contents Click on any title below

More information

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor bfranklin@compassitc.com January 23, 2014

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor bfranklin@compassitc.com January 23, 2014 PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor bfranklin@compassitc.com January 23, 2014 Agenda Introduction PCI DSS 3.0 Changes What Can I Do to Prepare? When Do I Need to be Compliant? Questions

More information

Introduction. Purpose. Reference. Applicability. HIPAA Policy 7.1. Safeguards to Protect the Privacy of PHI

Introduction. Purpose. Reference. Applicability. HIPAA Policy 7.1. Safeguards to Protect the Privacy of PHI Office of Regulatory Compliance 13001 E. 17 th Place, Suite W1124 Mail Stop F497 Aurora, CO 80045 Main Office: 303-724-1010 Main Fax: 303-724-1019 HIPAA Policy 7.1 Title: Source: Prepared by: Approved

More information

HITRUST CSF Assurance Program

HITRUST CSF Assurance Program HITRUST CSF Assurance Program Simplifying the Meaningful Use Privacy and Security Risk Assessment September 2010 Table of Contents Regulatory Background CSF Assurance Program Simplifying the Risk Assessment

More information

FACT SHEET: Ransomware and HIPAA

FACT SHEET: Ransomware and HIPAA FACT SHEET: Ransomware and HIPAA A recent U.S. Government interagency report indicates that, on average, there have been 4,000 daily ransomware attacks since early 2016 (a 300% increase over the 1,000

More information

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable

More information

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant 1 HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant Introduction U.S. healthcare laws intended to protect patient information (Protected Health Information or PHI) and the myriad

More information

HIPAA Security. Jeanne Smythe, UNC-CH Jack McCoy, ECU Chad Bebout, UNC-CH Doug Brown, UNC-CH

HIPAA Security. Jeanne Smythe, UNC-CH Jack McCoy, ECU Chad Bebout, UNC-CH Doug Brown, UNC-CH HIPAA Security Jeanne Smythe, UNC-CH Jack McCoy, ECU Chad Bebout, UNC-CH Doug Brown, UNC-CH What is this? Federal Regulations August 21, 1996 HIPAA Became Law October 16, 2003 Transaction Codes and Identifiers

More information

HIPAA Secure Now! How MSPs Can Profit From Selling HIPAA security services

HIPAA Secure Now! How MSPs Can Profit From Selling HIPAA security services HIPAA Secure Now! How MSPs Can Profit From Selling HIPAA security services How MSPs can profit from selling HIPAA security services Managed Service Providers (MSP) can use the Health Insurance Portability

More information

Security Compliance, Vendor Questions, a Word on Encryption

Security Compliance, Vendor Questions, a Word on Encryption Security Compliance, Vendor Questions, a Word on Encryption Alexis Parsons, RHIT, CPC, MA Director, Health Information Services Security/Privacy Officer Shasta Community Health Center aparsons@shastahealth.org

More information

Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE

Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE [ Hosting for Healthcare: Addressing the Unique Issues of Health IT & Achieving End-to-End Compliance

More information

The HIPAA Security Rule Primer A Guide For Mental Health Practitioners

The HIPAA Security Rule Primer A Guide For Mental Health Practitioners The HIPAA Security Rule Primer A Guide For Mental Health Practitioners Distributed by NASW Printer-friendly PDF 2006 APAPO 1 Contents Click on any title below to jump to that page. 1 What is HIPAA? 3 2

More information

How to prepare your organization for an OCR HIPAA audit

How to prepare your organization for an OCR HIPAA audit How to prepare your organization for an OCR HIPAA audit Presented By: Mac McMillan, FHIMSS, CISM CEO, CynergisTek, Inc. Technical Assistance: 978-674-8121 or Amanda.Howell@iatric.com Audio Options: Telephone

More information

HIPAA Risk Assessments for Physician Practices

HIPAA Risk Assessments for Physician Practices HIPAA Risk Assessments for Physician Practices Eric Sandhusen Corporate Compliance Director and Privacy Officer Lloyd Torres Director of Ambulatory HIM DISCLAIMER The statements and opinions presented

More information

Preparing for HIPAA and Meaningful Use Compliance Audits

Preparing for HIPAA and Meaningful Use Compliance Audits Preparing for HIPAA and Meaningful Use Compliance Audits Presented by: David Holtzman VP of Compliance, CynergisTek CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com

More information

HIPAA Security Rule Compliance and Health Care Information Protection

HIPAA Security Rule Compliance and Health Care Information Protection HIPAA Security Rule Compliance and Health Care Information Protection How SEA s Solution Suite Ensures HIPAA Security Rule Compliance Legal Notice: This document reflects the understanding of Software

More information

Sustainable HIPAA Compliance: Protecting Patient Privacy through Highly Leveraged Investments

Sustainable HIPAA Compliance: Protecting Patient Privacy through Highly Leveraged Investments View the Replay on YouTube Sustainable HIPAA Compliance: Protecting Patient Privacy through Highly Leveraged Investments FairWarning Executive Webinar Series October 31, 2013 Today s Panel Chris Arnold

More information

HIPAA Information Security Overview

HIPAA Information Security Overview HIPAA Information Security Overview Security Overview HIPAA Security Regulations establish safeguards for protected health information (PHI) in electronic format. The security rules apply to PHI that is

More information

Health Insurance Portability and Accountability Act (HIPAA) Compliance Audit Final Report

Health Insurance Portability and Accountability Act (HIPAA) Compliance Audit Final Report Health Insurance Portability and Accountability Act (HIPAA) Compliance Audit Final Report April 2009 promoting efficient & effective local government Background The Health Insurance Portability and Accountability

More information

Ready for an OCR Audit? Will you pass or fail an OCR security audit? Tom Walsh, CISSP

Ready for an OCR Audit? Will you pass or fail an OCR security audit? Tom Walsh, CISSP Ready for an OCR Audit? Will you pass or fail an OCR security audit? Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS What would you do? You receive a phone call from your CEO. They just received

More information