1 Security Compliance, Vendor Questions, a Word on Encryption Alexis Parsons, RHIT, CPC, MA Director, Health Information Services Security/Privacy Officer Shasta Community Health Center
2 Agenda Security Rule Requirements A Look at NIST A Word on Encryption Vendor Questions Strategies for Success
3 Security Rule Requirements Learn what's addressable vs. what's required as defined by the HIPAA Security standards Understand what policies and procedures must be in place for compliance Learn the integral parts to ensuring a successful HIPAA Security Compliance Plan Learn how to create and maintain an audit program for verification and validation of security control
4 Create Awareness
5 DHHS Reported Breaches > 500 Individuals Affected 2010/ Reported Breaches ~ 19M Individuals 1.3% 4.7% 9.9% 24.7% 1.0% 1.6% 14.5% 40.5% 1.8% Backup Tapes Computer Electronic Medical Record Laptop and other portable device Network Server Other X-Ray Film Paper Breaches Affecting 500 or More Individuals ( HHS Wall of Shame )
6 Breach of Protected Health Information US Dept. of Health and Human Services reported Data Breaches September 2009 December M Individuals have been affected # Affected Individuals Backup Tapes Computer Electronic Medical Record Laptop and other portable device Network Server 6681 Other X-Ray Film Paper
7 So Why is EHR Security Important? Because everyone cares about the privacy and integrity of their health information. In most cases, the point of computer security is to prevent personal health information from falling into the wrong hands or being inadvertently altered or destroyed. Don t be complacent, drill down on security issues today. Look in every corner of your organization.
8 What is a breach? California State Law Unlawful or unauthorized access to, and use or disclosure of patients medical information whether electronic, paper, or oral Federal Regulations acquisition, access, use, or disclosure of Protected Health Information (PHI) in manner not permitted by the Privacy Rule which compromises the security or privacy of the PHI
9 KEY POINTS Practices need to ensure that their current computer security complies with the HIPAA standards that took effect April 21, Physicians should take responsibility for understanding how health information technology is used in their practice By taking a proactive approach to your computer security now, you will be able to detect and prevent trouble later. There is no one-size-fits-all approach for computer security.
10 Compliance and Confidence Confidence is essential to patients and your organization. A Poneman Institute research Report completed in December 2011 showed that respondents say they have little or no confidence that their organization has the ability to detect ALL data breaches. The study found that general perceptions are that EHR systems have made no difference in security of patient data.
11 Privacy and Security Benchmark Study Findings* Data breaches in healthcare organizations is on the rise Widespread use of mobile devices is putting patients at risk Despite policies and federal mandates, unauthorized access to patient information is not a priority in many organizations Diminished productivity and financial consequences can be severe when data breach incident occurs Medical identity theft poses a greater risk to patients Ponemon Institute Research Report December 2011
12 Breach Examples ing PHI OUTSIDE of the organization (if unencrypted) Texting PHI to another mobile device (if unencrypted) A laptop containing PHI, in your possession, is lost or stolen (if unencrypted) A flash drive containing PHI, in your possession, is lost or stolen (if unencrypted) Electronic equipment containing PHI is improperly disposed of (if unencrypted)
13 Enforcement is on the Upswing! $1B Class-Action Lawsuit Sutter Health $20M lawsuit against Stanford Hospital $865K Resolution Agreement -UCLA Health $4.8B -TRICARE Health Management Sued $4.3M for Violation of HIPAA Privacy Rule -Cignet Health $625 K and counting since Health Net DELAY in notification following data breach reporting brings action by Attorney General Wellpoint
14 Civil Penalty Violations Accidental $100 each violation Up to $25,000 for identical violations, per year Not Willful Neglect, but Not Accidental $1,000 each violation Up to $100,000 for identical violations, per year Willful Neglect (Corrected)$10,000 each violation Up to $250,000 for identical violations, per year Willful Neglect (Not Corrected)$50,000 each Up to $1.5 million, per year
15 Security Rule Overview
16 PHI Defined HIPAA Privacy Rule Protected Health Information (PHI) Individually identifiable health information that is transmitted or maintained in any form Paper Electronic Verbal/Oral
17 PHI Defined Under the HIPAA Security Rule ephi or electronic Protected Health Information is patient health information which is computer based, e.g., created received, stored or maintained, processed and/or transmitted in electronic media. Electronic media o Includes computers, laptops, disks, memory stick, PDAs, servers, networks, dial-modems, E- Mail, websites, etc.
18 How Secure is your ephi? The Security Rule requirements: Ensure the CIA (Confidentiality, Integrity, and Availability) of all ephi created, received, maintained or transmitted. Protect against reasonably anticipated threats or hazards to the security and integrity of ephi, e.g., hackers, virus, data back-ups Protect against unauthorized disclosures
19 Compliance Program Elements 1. Appointment of an official to oversee the program (Privacy and Security Officer) 2. Set standards of expected conduct (Policies and Procedures) 3. Training, education, and awareness (Training) 4. Process for receiving reports of violations (Incident Reporting) 5. Response to reports (Incident Response) 6. On-going auditing and monitoring for compliance (Audits and Evaluation) 7. Take appropriate corrective actions (Sanctions, risk management, security controls, etc.)
20 HIPAA Security Rule Published February 2003 Contains Standards and Implementation Specifications Standards are divided into 5 Categories Administrative Safeguards Physical Safeguards Technical Safeguards Organizational Requirements Policies and Procedure/Documentation Requirements Implementation Specification provide for flexibility depending on size and complexity of the organization Required Addressable
21 Implementation Terms Required (R) Performed by ALL Covered Entities Addressable (A) Covered Entities have additional flexibility on how to satisfy the requirement
22 Security Standards Information Security means to ensure the confidentiality, integrity, and availability of information through safeguards. Confidentiality that information will not be disclosed to unauthorized individuals or processes. Integrity the condition of data or information that has not been altered or destroyed in an unauthorized manner. Data from one system is consistently and accurately transferred to other systems Availability the data or information is accessible and useable upon demand by an authorized person.
23 Administrative Safeguards Administrative Safeguards: Non-technical measures that an organization s management establishes Policies Standards Guidelines Procedures Administrative safeguards comprise over half of the HIPAA Security requirements
24 Physical Safeguards Physical Safeguards: Physical measures, policies and procedures to protect a CE s electronic information systems, building and equipment. Physical access: key locks, visitor sign-in sheets, window access Workstation Use/Security: prevent theft, unauthorized access Device/Media controls: removable disks
25 Technical Safeguards Technical Safeguards: the technology and the policies and procedures for its use that protect ephi and control access to it. Rules provide for the CE to determine which type of technology it implements Rules provide for CE to use any security measures that are reasonable and appropriate based on the organization s structure.
26 Addressable Implementation Specifications Covered Entities must Implement one or more of addressable implementation specifications Implement one or more alternative security measures Implement a combination of both Determine that the implementation specification does not apply to its situation (must document rationale)
27 Addressable Implementation Specifications The entity must decide whether a given addressable implementation is reasonable and appropriate to apply within its security framework. The decision depends on a variety of factors including: Entity s Risk Analysis Entity s Risk Mitigation Strategy Security Measures already in place Cost of implementation If a given addressable implementation specification is determined reasonable and appropriate, it must be implemented.
28 Security Standards Administrative Safeguards Security Management Process ( (a) (1) Risk Analysis (R) (a) (1) Risk Analysis Identification of software Worksheet 1 Risk Analysis Threat Assessment -Worksheet 2 Risk Analysis Description of Uses, Hardware/Software - Worksheet 3 Risk Management [Information Security and Privacy Violation(R) Sanction Policy (R) Information System Activity Review (R)
29 Security Standards Administrative Safeguards - more Assigned Security Responsibility ( (a) (2))[Security Officer Policy] Workforce Security ( (a) (3)) Information Access Management ( (a) (4)) Security Awareness & Training ( (a) (5)) Document, document, document!! If it wasn t documented.
30 Security Standards Administrative Safeguards - more Security Incident Procedures ( (a) (6)) Contingency Plan ( (a) (7)) Evaluation of Security Compliance ( (a) (8)) Business Associate Contracts & Other Arrangements ( (b) (1))
31 PHYSICAL SAFEGUARDS Facility Access Controls ( (a)) Workstation Use ( (b)) Workstation Security Policy ( (c)) Device & Media Control ( (d))
32 TECHNICAL SAFEGUARDS Access Control ( (a)) Audit Controls ( (b)) Integrity ( ) (c)) Person or Entity Authentication ( (d)) Transmission Security ( (e))
33 NIST and EHR ARRA emphasized need for US to move toward use of EHR To encourage a widespread adoption of intraoperative health information technology, legislation called for ONC in consultation with NIST to recognize a program for certification of Health Information Technology NIST developed functional and conformance testing requirements, test cases, and test tools in support of the health IT certification program ( NIST publishes several Special Publications that can assist with compliance with HIPAA Regulations
34 Security Rule Compliance Alexis "Difficulties mastered are opportunities won -Winston Churchill
35 CMS Security Rule Audits Focus Areas Risk Analysis and management Security training Physical security of facility and mobile devices Off-site access and use of ephi from remote locations Storage of ephi on portable devices and media Disposal of equipment containing ephi Business associate agreements and contracts Data encryption Virus protection Technical safeguards in place to protect ephi Monitoring of access to ephi
36 CMS Key Audit Findings (2008 and 2009) Insufficient Risk Analysis (a)(1)(ii)(A) Inadequate Security Awareness and Training (a)(5)(i) Lack of Current and Adequate Policies and Procedures (a)(8) Policies and Procedures did not address the HIPAA Security Standards and Implementation Specifications Policies and Procedures inconsistent with procedures followed by CE personnel
37 CMS Key Audit Findings Continued Workforce Clearance (a)(3)(ii)(B) o Personnel given access to ephi who do not have a reasonable and appropriate need Workstation Security (b) Encryption (a)(2)(iv) o Lost media not encrypted Insufficient Business Associate Contracts (b)(1)
38 Risk Analysis Audit Findings Risk Analysis (a)(1)(ii)(A) o CE did not perform a risk assessment o CE did not have a formalized documented risk assessment process o CE had outdated risk assessments o CE did not address all potential areas of risk (incomplete)
39 Risk Assessments?? Polling Question Has your organization conducted an assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information?
40 Where s Waldo?
41 Breach Safe Harbor PHI rendered unusable, unreadable, or indecipherable Valid encryption processes established for Data at rest, Data in motion (guidance established by NIST) Providers not required to follow guidance o If methodologies ARE used, no breach notification exists Breach Safe Harbor
42 2012 HIPAAAudits
43 A Word About Encryption Audit Findings Encryption and decryption Implement a mechanism to encrypt and decrypt electronic protected health information Encryption was not implemented consistently No negative findings in encryption, Encryption may evolve to a Required Standard Reasonable and appropriate Room for improvement in the formal polices and procedures which addressed encryption.
44 Encryption Strategies for Success Create an inventory of all devices containing ephi including mobile devices Develop Encryption policies. What gets encrypted and to what strength? Implement strong encryption on all devices. Implement Whole Disk Encryption (WDE) o Use FIPS validated solutions Communicate to your workforce
45 Encryption & Integrity Where is ephi stored? Is data at rest & in transit encrypted? owhat type of encryption is used? Is there a firewall? What anti-virus protection is used? owhen & how is it updated & monitored? Any other integrity controls used?
46 Vendor Points to Remember Duties of Vendor that Impact Providers Quality/ effectiveness Guaranteed up-time HIPAA Privacy and Security Compliance Record Keeping Transferability/ exchange Assistance upon termination Vendor must represent and warrant the functionality of the system Vendor must also represent that the system meets the requirements of various standards required under HIPAA
47 Vendor Presentations Whenever possible, ask to see a live demonstration rather than a canned one. Have the right people in the room; whether for an RFP process or the mapping of workflow; include representatives of providers, nurses, medical assistants, IT, security/privacy, front desk, billing, etc. The feedback they will provide from their unique perspectives will be invaluable, and well worth the up front investment of their time.
48 Suggestions for Software Demonstrations How does the EHR restrict bills from being sent to patients homes in the case of minor patients consenting to own treatment? How does the EHR restrict billing to health plans in accordance with patient requests and new HITECH HIPAA requirements? What functions does your EHR have to specially protect (i.e. restrict access) certain patient data? (i.e. substance abuse, mental health, minor consented health information).
49 Demonstrations and Documentation Ask to see the auditing functions. Are they understandable? o Who has access to these features? o Is this limited? Ask to see how difficult it is to: o 1) provide electronic copy of patient data; o 2) paper copy of patient data and how access to those features are configured What training and documentation does the vendor provide for these features?
50 Vendor Questions System Access Role (or user) based access o Does the system allow the organization to create & assign different access roles (to meet minimum necessary requirements)? o Does the vendor assign them? User modifications & terminations Does the organization or the vendor do this? Can access to certain types of records be locked so certain roles are not able to access them (i.e. sensitive records such as mental health, AODA, etc.)?
51 Authentication What type of authentication is used? User ID & Password, or other two-factor? o Does the system work with finger print or id badge sign-on applications? o Does the system work with single sign-on applications? Passwords o o o o o o Strength: at least 8 characters, alpha numeric, and require a character? Frequency to change? Is this forced by the application or something the organization can change? Users may not utilize previous 6 passwords? Users forced to change password after first log-in? What are the default settings? Can settings be changed by users and/or the organization, or only by the vendor?
52 Audit Trails User access What details are included on the audit trail? Is it easy to manipulate the data? How long are audit reports maintained? How easy is it to access meta-data in the case of subpoena? Log-in monitoring Are there system event logs Who monitors them? Can alerts be sent? Does the system lock accounts after 3 unsuccessful
53 General Security Are all of the security features on or is this controlled by the organization? Are there any interdependencies that will impact the confidentiality, integrity, and/or availability of ephi? Have all the security features been tested for reliability? What did the tests show about performing the function correctly, accurately, and with integrity? What other types of security and system support do you provide? Will any of this security cost more or does it come with it? Including support?
54 What Not to Do Don t give staff more rights than they need because it is easier than arguing. It is important to look at all of the rights and permissions in every corner of your System Administrator. Understand each element and assign rights based on minimum necessary. Don t wait! It is much easier to do the hard work now, than to try and fix it later. Talk to staff, ask lots of questions about what they do. Ask about workflow.
56 HIPAA/HITECH Resources Privacy and Security Section of HealthIT.gov: HHS Health IT Privacy and Security Toolkit OCR Guidance: munitypage&parenti d=26&mode=2&in_hi_userid=10732&cached=true OCR HIPAA Privacy Rule Training Materials: OCR Guidance on Significant Aspects of the HIPAA Privacy Rule: ce.html Fast Facts about the HIPAA Privacy Rule: l The HHS Office of Civil Rights, HIPAA FAQs: Guidance materials for Small Providers, Small Health Plans, and other Small Businesses: html OCR s Sample Business Associate Contract Provisions: tml
Providers Business Name: Providers Business Address: City, State, Zip Acronyms NIST FIPS PHI EPHI BA CE EHR HHS IS National Institute of Standards and Technology Federal Information Process Standards Protected
Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information
Electronic Health Records: Data Security and Integrity of e-phi Worcester, MA Wednesday, 2:15pm 3:30pm Agenda Introduction Learning Objectives Overview of HIPAA HIPAA: Privacy and Security HIPAA: The Security
HIPAA Security Rule Compliance Caryn Reiker MAXIS360 HIPAA Security Rule Compliance what is it and why you should be concerned about it Table of Contents About HIPAA... 2 Who Must Comply... 2 The HIPAA
HIPAA Compliance Review Analysis and Summary of Results Centers for Medicare & Medicaid Services (CMS) Office of E-Health Standards and Services (OESS) Reviews 2008 Table of Contents Introduction 1 Risk
HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS Thank you for taking the time to fill out the privacy & security checklist. Once completed, this checklist will help us get a better
What s New with HIPAA? Policy and Enforcement Update HHS Office for Civil Rights New Initiatives Precision Medicine Initiative (PMI), including Access Guidance Cybersecurity Developer portal NICS Final
Office of the Secretary Office for Civil Rights () Overview of the HIPAA Security Rule Office for Civil Rights Region IX Alicia Cornish, EOS Sheila Fischer, Supervisory EOS Topics Upon completion of this
TODAY S PRESENTERS Why Lawyers? Why Now? New HIPAA regulations go into effect September 23, 2013 Expands HIPAA safeguarding and breach liabilities for business associates (BAs) Lawyer is considered a business
Appendix 4-2: Administrative, Physical, and Technical Safeguards Breach Notification Rule How Use this Assessment The following sample risk assessment provides you with a series of sample questions help
Security Is Everyone s Concern: What a Practice Needs to Know About ephi Security Mert Gambito Hawaii HIE Compliance and Privacy Officer July 26, 2014 E Komo Mai! This session s presenter is Mert Gambito
Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. email@example.com www.uslegalsupport.com HIPAA Privacy Rule Sets standards for confidentiality and privacy of individually
New HIPAA Breach Notification Rule: Know Your Responsibilities Loudoun Medical Group Spring 2010 Health Information Technology for Economic and Clinical Health Act (HITECH) As part of the Recovery Act,
HAWAII HEALTH SYSTEMS C O R P O R A T I O N "Touching Lives Every Day COMPLIANCE ALERT 10-12 HIPAA Expansion under the American Recovery and Reinvestment Act of 2009 The American Recovery and Reinvestment
HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE How to Use this Assessment The following risk assessment provides you with a series of questions to help you prioritize the development and implementation
Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE [ Hosting for Healthcare: Addressing the Unique Issues of Health IT & Achieving End-to-End Compliance
HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care
FIVE EASY STEPS FOR HANDLING NEW HIPAA REQUIREMENTS & MANAGING YOUR ELECTRONIC COMMUNICATIONS James J. Eischen, Jr., Esq. October 2013 Chicago, Illinois JAMES J. EISCHEN, JR., ESQ. Partner at Higgs, Fletcher
HIPAA Compliance: Are you prepared for the new regulatory changes? Baker Tilly CARIS Innovation, Inc. April 30, 2013 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed
HIPAA Security S E R I E S Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical
7 Security Standards: Implementation for the Small Provider What is the Security Series? The security series of papers provides guidance from the Centers for Medicare & Medicaid Services (CMS) on the rule
Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions Table of Contents Understanding HIPAA Privacy and Security... 1 What
Healthcare Compliance Solutions Let Protected Trust be your Safe Harbor In the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH), the U.S. Department of Health and Human
HIPAA Information Security Overview Security Overview HIPAA Security Regulations establish safeguards for protected health information (PHI) in electronic format. The security rules apply to PHI that is
CHIS, Inc. and HIPAA CHIS, Inc. provides services to healthcare facilities and uses certain protected health information (PHI) in connection with performing these services. Therefore, CHIS, Inc. is classified
goes to great lengths to ensure the security and availability of vcloud Air services. In this effort VMware has completed an independent third party examination of vcloud Air against applicable regulatory
SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION Please Note: 1. THIS IS NOT A ONE-SIZE-FITS-ALL OR A FILL-IN-THE BLANK COMPLIANCE PROGRAM.
HIPAA Security Jeanne Smythe, UNC-CH Jack McCoy, ECU Chad Bebout, UNC-CH Doug Brown, UNC-CH What is this? Federal Regulations August 21, 1996 HIPAA Became Law October 16, 2003 Transaction Codes and Identifiers
This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in the HIPAA Omnibus Rule of 2013. As part of the American
HIPAA More Important Than You Realize J. Ira Bedenbaugh Consulting Shareholder February 20, 2015 This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record
HIPAA Audit Processes Erik Hafkey Rainer Waedlich 1 Policies for all HIPAA relevant Requirements and Regulations Checklist for an internal Audit Process Documentation of the compliance as Preparation for
HIPAA Security Risk Analysis for Meaningful Use NOTE: Make sure your computer speakers are turned ON. Audio will be streaming through your speakers. If you do not have computer speakers, call the ACCMA
Technical Monograph C.T. Hellmuth & Associates, Inc. Technical Monographs usually are limited to only one subject which is treated in considerably more depth than is possible in our Executive Newsletter.
The OCR Auditors are coming - Are you next? What to Expect and How to Prepare On June 10, 2011, the U.S. Department of Health and Human Services Office for Civil Rights ( OCR ) awarded KPMG a $9.2 million
Lessons Learned from Recent HIPAA and Big Data Breaches Briar Andresen Katie Ilten Ann Ladd Recent health care breaches Breach reports to OCR as of February 2015 1,144 breaches involving 500 or more individual
Lessons Learned from HIPAA Audits October 29, 2012 Tony Brooks, CISA, CRISC Partner - IT Assurance and Risk Services HORNE LLP AGENDA HIPAA/HITECH Regulations Breaches and Fines OCR HIPAA/HITECH Compliance
HIPAA PRIVACY AND SECURITY FOR EMPLOYERS Agenda Background and Enforcement HIPAA Privacy and Security Rules Breach Notification Rules HPID Number Why Does it Matter HIPAA History HIPAA Title II Administrative
Compliance HIPAA Security COMPLIANCE Checklist For Employers All of the following steps must be completed by April 20, 2006 (April 14, 2005 for Large Health Plans) Broadly speaking, there are three major
Welcome to ChiroCare s Fourth Annual Fall Business Summit October 3, 2013 HIPAA Compliance Regulatory Overview & Implementation Tips for Providers Agenda Green packet Overview of general HIPAA terms and
The HIPAA Security Rule Primer A Guide For Mental Health Practitioners Distributed by NASW Printer-friendly PDF 2006 APAPO 1 Contents Click on any title below to jump to that page. 1 What is HIPAA? 3 2
HIPAA Happenings in Hospital Systems Donna J Brock, RHIT System HIM Audit & Privacy Coordinator HIPAA Health Insurance Portability and Accountability Act of 1996 Title 1 Title II Title III Title IV Title
Network Security for End Users in Health Care Virginia Health Information Technology Regional Extension Center is funded by grant #90RC0022/01 from the Office of the National Coordinator for Health Information
When HHS Calls, Will Your Plan Be HIPAA Compliant? Petula Workman, J.D., CEBS Division Vice President Compliance Counsel Gallagher Benefit Services, Inc., Sugar Land, Texas The opinions expressed in this
Click to edit Master title style Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use Andy Petrovich, MHSA, MPH M-CEITA / Altarum Institute April 8, 2015 4/8/2015 1 1 Who is M-CEITA?
Please Read This business associate audit questionnaire is part of Apgar & Associates, LLC s healthcare compliance resources, Copyright 2014. This questionnaire should be viewed as a tool to aid in evaluating
Information Protection Framework: Data Security Compliance and Today s Healthcare Industry Executive Summary Today s Healthcare industry is facing complex privacy and data security requirements. The movement
Datto Compliance 101 1 Overview Overview This document provides a general overview of the Health Insurance Portability and Accounting Act (HIPAA) compliance requirements for Managed Service Providers (MSPs)
My Docs Online HIPAA Compliance Updated 10/02/2013 Using My Docs Online in a HIPAA compliant fashion depends on following proper usage guidelines, which can vary based on a particular use, but have several
Community First Health Plans Breach Notification for Unsecured PHI The presentation is for informational purposes only. It is the responsibility of the Business Associate to ensure awareness and compliance
New HIPAA regulations require action. Are you in compliance? Mary Harrison, JD Tami Simon, JD May 22, 2013 Discussion topics Introduction Remembering the HIPAA Basics HIPAA Privacy Rules HIPAA Security
HIPAA Omnibus Rule Overview Presented by: Crystal Stanton MicroMD Marketing Communication Specialist 1 HIPAA Omnibus Rule - Agenda History of the Omnibus Rule What is the HIPAA Omnibus Rule and its various
HIPAA WEBINAR HANDOUT OCR Enforcement Tools Voluntary corrective action Resolution Agreement and Payment CMPs Referral to DOJ for criminal investigation Resolution Agreements Contract signed by HHS and
M E M O R A N D U M DATE: November 10, 2011 TO: FROM: RE: Krevolin & Horst, LLC HIPAA Obligations of Business Associates In connection with the launch of your hosted application service focused on practice
Health Information Privacy Refresher Training March 2013 1 Disclosure There are no significant or relevant financial relationships to disclose. 2 Topics for Today State health information privacy law Federal
Art Gross President & CEO HIPAA Secure Now! How to Prepare for the 2015 HIPAA Audits and Avoid Data Breaches Speakers Phillip Long CEO at Business Information Solutions Art Gross President & CEO of HIPAA
AMERICAN PSYCHOLOGICAL ASSOCIATION PRACTICE ORGANIZATION Practice Working for You The HIPAA Security Rule Primer Compliance Date: April 20, 2005 Printer-friendly PDF 1 Contents Click on any title below
Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Table of Contents Introduction... 1 1. Administrative Safeguards...
Brooklyn Community Services Policies and Compliance Guide relating to the HIPAA Security Rule June 2013 Table of Contents INTRODUCTION... 3 GUIDE TO BCS COMPLIANCE WITH THE HIPAA SECURITY REGULATION...
HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care
HIPAA Audits: How to Be Prepared Lindsey Wiley, MHA, CHTS-IM, CHTS-TS HIT Manager Oklahoma Foundation for Medical Quality An Important Reminder For audio, you must use your phone: Step 1: Call (866) 906-0123.
HIPAA: In Plain English Material derived from a presentation by Kris K. Hughes, Esq. Posted with permission from the author. The Health Insurance Portability and Accountability Act of 1996 (HIPAA), Pub.
Guidance on Risk Analysis Requirements under the HIPAA Security Rule Introduction The Office for Civil Rights (OCR) is responsible for issuing annual guidance on the provisions in the HIPAA Security Rule.
UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This
HIPAA/HITECH: A Guide for IT Service Providers Much like Arthur Dent in the opening scene of The Hitchhiker s Guide to the Galaxy (HHGTTG), you re experiencing the impact of new legislation that s infringing
Using Data Encryption to Achieve HIPAA Safe Harbor in the Cloud 1 Contents The Obligation to Protect Patient Data in the Cloud................................................... Complying with the HIPAA
HIPAA and Mental Health Privacy: What Social Workers Need to Know Presenter: Sherri Morgan, JD, MSW Associate Counsel, NASW Legal Defense Fund and Office of Ethics & Professional Review 2010 National Association
Healthcare to Go: Securing Mobile Healthcare Data Lee Kim, Esq. SANS Mobile Device Security Summit 2013 May 30, 2013 Copyright 2013 Lee Kim 1 Why Information Security is Essential for Healthcare Safeguard
Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice Monday, August 3, 2015 1 How to ask a question during the webinar If you dialed in to this webinar on your phone
Telemedicine HIPAA/HITECH Privacy and Security 1 Access Control Role Based Access The organization shall provide secure rolebased account management. Privileges granted utilizing the principle of least
Introduction Per UCSC's HIPAA Security Rule Compliance Policy 1, all UCSC entities subject to the HIPAA Security Rule ( HIPAA entities ) must implement the UCSC Practices for HIPAA Security Rule Compliance
Federal Breach Notification and Tools Disclaimer This document is copyright 2013 by the Long Term Care Consortium (LTCC). These materials may be reproduced and used only by long-term health care providers
What Virginia s Free Clinics Need to Know About HIPAA and HITECH This document is one in a series of tools and white papers produced by the Virginia Health Care Foundation to help Virginia s free clinics
HIPAA Breaches, Security Risk Analysis, and Audits Derrick Hill Senior Health IT Advisor Kentucky REC Why Does Privacy and Security Matter? Trust Who Must Comply with HIPAA Rules? Covered Entities (CE)
HIPAA 101 March 18, 2015 Webinar Agenda Acronyms to Know HIPAA Basics What is HIPAA and to whom does it apply? What is protected by HIPAA? Privacy Rule Security Rule HITECH Basics Breaches and Responses
HIPAA Security Education Updated May 2016 Course Objectives v This computer-based learning course covers the HIPAA, HITECH, and MSHA Privacy and Security Program which includes relevant Information Technology(IT)
Patient Privacy and Security Presented by, Jeffery Daigrepont Jeffery Daigrepont, SVP No Financial Conflicts to Report Jeffery Daigrepont, Senior Vice President of The Coker Group, specializes in health
Privacy Compliance Healthcare Compliance Solutions Trust and privacy are essential for building meaningful human relationships. Let Protected Trust be your Safe Harbor The U.S. Department of Health and
Sample Client HIPAA Assessment HIPAA Policy and Procedures Sample Client Prepared by: InhouseCIO, LLC CONFIDENTIALITY NOTE: The information contained in this report document is for the exclusive use of
HIPAA Omnibus Rule Practice Impact Kristen Heffernan MicroMD Director of Prod Mgt and Marketing 1 HIPAA Omnibus Rule Agenda History of the Rule HIPAA Stats Rule Overview Use of Personal Health Information
California State University, Sacramento INFORMATION SECURITY PROGRAM 1 I. Preamble... 3 II. Scope... 3 III. Definitions... 4 IV. Roles and Responsibilities... 5 A. Vice President for Academic Affairs...