Security Compliance, Vendor Questions, a Word on Encryption

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Security Compliance, Vendor Questions, a Word on Encryption"

Transcription

1 Security Compliance, Vendor Questions, a Word on Encryption Alexis Parsons, RHIT, CPC, MA Director, Health Information Services Security/Privacy Officer Shasta Community Health Center

2 Agenda Security Rule Requirements A Look at NIST A Word on Encryption Vendor Questions Strategies for Success

3 Security Rule Requirements Learn what's addressable vs. what's required as defined by the HIPAA Security standards Understand what policies and procedures must be in place for compliance Learn the integral parts to ensuring a successful HIPAA Security Compliance Plan Learn how to create and maintain an audit program for verification and validation of security control

4 Create Awareness

5 DHHS Reported Breaches > 500 Individuals Affected 2010/ Reported Breaches ~ 19M Individuals 1.3% 4.7% 9.9% 24.7% 1.0% 1.6% 14.5% 40.5% 1.8% Backup Tapes Computer Electronic Medical Record Laptop and other portable device Network Server Other X-Ray Film Paper Breaches Affecting 500 or More Individuals ( HHS Wall of Shame )

6 Breach of Protected Health Information US Dept. of Health and Human Services reported Data Breaches September 2009 December M Individuals have been affected # Affected Individuals Backup Tapes Computer Electronic Medical Record Laptop and other portable device Network Server 6681 Other X-Ray Film Paper

7 So Why is EHR Security Important? Because everyone cares about the privacy and integrity of their health information. In most cases, the point of computer security is to prevent personal health information from falling into the wrong hands or being inadvertently altered or destroyed. Don t be complacent, drill down on security issues today. Look in every corner of your organization.

8 What is a breach? California State Law Unlawful or unauthorized access to, and use or disclosure of patients medical information whether electronic, paper, or oral Federal Regulations acquisition, access, use, or disclosure of Protected Health Information (PHI) in manner not permitted by the Privacy Rule which compromises the security or privacy of the PHI

9 KEY POINTS Practices need to ensure that their current computer security complies with the HIPAA standards that took effect April 21, Physicians should take responsibility for understanding how health information technology is used in their practice By taking a proactive approach to your computer security now, you will be able to detect and prevent trouble later. There is no one-size-fits-all approach for computer security.

10 Compliance and Confidence Confidence is essential to patients and your organization. A Poneman Institute research Report completed in December 2011 showed that respondents say they have little or no confidence that their organization has the ability to detect ALL data breaches. The study found that general perceptions are that EHR systems have made no difference in security of patient data.

11 Privacy and Security Benchmark Study Findings* Data breaches in healthcare organizations is on the rise Widespread use of mobile devices is putting patients at risk Despite policies and federal mandates, unauthorized access to patient information is not a priority in many organizations Diminished productivity and financial consequences can be severe when data breach incident occurs Medical identity theft poses a greater risk to patients Ponemon Institute Research Report December 2011

12 Breach Examples ing PHI OUTSIDE of the organization (if unencrypted) Texting PHI to another mobile device (if unencrypted) A laptop containing PHI, in your possession, is lost or stolen (if unencrypted) A flash drive containing PHI, in your possession, is lost or stolen (if unencrypted) Electronic equipment containing PHI is improperly disposed of (if unencrypted)

13 Enforcement is on the Upswing! $1B Class-Action Lawsuit Sutter Health $20M lawsuit against Stanford Hospital $865K Resolution Agreement -UCLA Health $4.8B -TRICARE Health Management Sued $4.3M for Violation of HIPAA Privacy Rule -Cignet Health $625 K and counting since Health Net DELAY in notification following data breach reporting brings action by Attorney General Wellpoint

14 Civil Penalty Violations Accidental $100 each violation Up to $25,000 for identical violations, per year Not Willful Neglect, but Not Accidental $1,000 each violation Up to $100,000 for identical violations, per year Willful Neglect (Corrected)$10,000 each violation Up to $250,000 for identical violations, per year Willful Neglect (Not Corrected)$50,000 each Up to $1.5 million, per year

15 Security Rule Overview

16 PHI Defined HIPAA Privacy Rule Protected Health Information (PHI) Individually identifiable health information that is transmitted or maintained in any form Paper Electronic Verbal/Oral

17 PHI Defined Under the HIPAA Security Rule ephi or electronic Protected Health Information is patient health information which is computer based, e.g., created received, stored or maintained, processed and/or transmitted in electronic media. Electronic media o Includes computers, laptops, disks, memory stick, PDAs, servers, networks, dial-modems, E- Mail, websites, etc.

18 How Secure is your ephi? The Security Rule requirements: Ensure the CIA (Confidentiality, Integrity, and Availability) of all ephi created, received, maintained or transmitted. Protect against reasonably anticipated threats or hazards to the security and integrity of ephi, e.g., hackers, virus, data back-ups Protect against unauthorized disclosures

19 Compliance Program Elements 1. Appointment of an official to oversee the program (Privacy and Security Officer) 2. Set standards of expected conduct (Policies and Procedures) 3. Training, education, and awareness (Training) 4. Process for receiving reports of violations (Incident Reporting) 5. Response to reports (Incident Response) 6. On-going auditing and monitoring for compliance (Audits and Evaluation) 7. Take appropriate corrective actions (Sanctions, risk management, security controls, etc.)

20 HIPAA Security Rule Published February 2003 Contains Standards and Implementation Specifications Standards are divided into 5 Categories Administrative Safeguards Physical Safeguards Technical Safeguards Organizational Requirements Policies and Procedure/Documentation Requirements Implementation Specification provide for flexibility depending on size and complexity of the organization Required Addressable

21 Implementation Terms Required (R) Performed by ALL Covered Entities Addressable (A) Covered Entities have additional flexibility on how to satisfy the requirement

22 Security Standards Information Security means to ensure the confidentiality, integrity, and availability of information through safeguards. Confidentiality that information will not be disclosed to unauthorized individuals or processes. Integrity the condition of data or information that has not been altered or destroyed in an unauthorized manner. Data from one system is consistently and accurately transferred to other systems Availability the data or information is accessible and useable upon demand by an authorized person.

23 Administrative Safeguards Administrative Safeguards: Non-technical measures that an organization s management establishes Policies Standards Guidelines Procedures Administrative safeguards comprise over half of the HIPAA Security requirements

24 Physical Safeguards Physical Safeguards: Physical measures, policies and procedures to protect a CE s electronic information systems, building and equipment. Physical access: key locks, visitor sign-in sheets, window access Workstation Use/Security: prevent theft, unauthorized access Device/Media controls: removable disks

25 Technical Safeguards Technical Safeguards: the technology and the policies and procedures for its use that protect ephi and control access to it. Rules provide for the CE to determine which type of technology it implements Rules provide for CE to use any security measures that are reasonable and appropriate based on the organization s structure.

26 Addressable Implementation Specifications Covered Entities must Implement one or more of addressable implementation specifications Implement one or more alternative security measures Implement a combination of both Determine that the implementation specification does not apply to its situation (must document rationale)

27 Addressable Implementation Specifications The entity must decide whether a given addressable implementation is reasonable and appropriate to apply within its security framework. The decision depends on a variety of factors including: Entity s Risk Analysis Entity s Risk Mitigation Strategy Security Measures already in place Cost of implementation If a given addressable implementation specification is determined reasonable and appropriate, it must be implemented.

28 Security Standards Administrative Safeguards Security Management Process ( (a) (1) Risk Analysis (R) (a) (1) Risk Analysis Identification of software Worksheet 1 Risk Analysis Threat Assessment -Worksheet 2 Risk Analysis Description of Uses, Hardware/Software - Worksheet 3 Risk Management [Information Security and Privacy Violation(R) Sanction Policy (R) Information System Activity Review (R)

29 Security Standards Administrative Safeguards - more Assigned Security Responsibility ( (a) (2))[Security Officer Policy] Workforce Security ( (a) (3)) Information Access Management ( (a) (4)) Security Awareness & Training ( (a) (5)) Document, document, document!! If it wasn t documented.

30 Security Standards Administrative Safeguards - more Security Incident Procedures ( (a) (6)) Contingency Plan ( (a) (7)) Evaluation of Security Compliance ( (a) (8)) Business Associate Contracts & Other Arrangements ( (b) (1))

31 PHYSICAL SAFEGUARDS Facility Access Controls ( (a)) Workstation Use ( (b)) Workstation Security Policy ( (c)) Device & Media Control ( (d))

32 TECHNICAL SAFEGUARDS Access Control ( (a)) Audit Controls ( (b)) Integrity ( ) (c)) Person or Entity Authentication ( (d)) Transmission Security ( (e))

33 NIST and EHR ARRA emphasized need for US to move toward use of EHR To encourage a widespread adoption of intraoperative health information technology, legislation called for ONC in consultation with NIST to recognize a program for certification of Health Information Technology NIST developed functional and conformance testing requirements, test cases, and test tools in support of the health IT certification program (http://healthcare.nist.gov/use_testing/effective_requirements.html) NIST publishes several Special Publications that can assist with compliance with HIPAA Regulations

34 Security Rule Compliance Alexis "Difficulties mastered are opportunities won -Winston Churchill

35 CMS Security Rule Audits Focus Areas Risk Analysis and management Security training Physical security of facility and mobile devices Off-site access and use of ephi from remote locations Storage of ephi on portable devices and media Disposal of equipment containing ephi Business associate agreements and contracts Data encryption Virus protection Technical safeguards in place to protect ephi Monitoring of access to ephi

36 CMS Key Audit Findings (2008 and 2009) Insufficient Risk Analysis (a)(1)(ii)(A) Inadequate Security Awareness and Training (a)(5)(i) Lack of Current and Adequate Policies and Procedures (a)(8) Policies and Procedures did not address the HIPAA Security Standards and Implementation Specifications Policies and Procedures inconsistent with procedures followed by CE personnel

37 CMS Key Audit Findings Continued Workforce Clearance (a)(3)(ii)(B) o Personnel given access to ephi who do not have a reasonable and appropriate need Workstation Security (b) Encryption (a)(2)(iv) o Lost media not encrypted Insufficient Business Associate Contracts (b)(1)

38 Risk Analysis Audit Findings Risk Analysis (a)(1)(ii)(A) o CE did not perform a risk assessment o CE did not have a formalized documented risk assessment process o CE had outdated risk assessments o CE did not address all potential areas of risk (incomplete)

39 Risk Assessments?? Polling Question Has your organization conducted an assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information?

40 Where s Waldo?

41 Breach Safe Harbor PHI rendered unusable, unreadable, or indecipherable Valid encryption processes established for Data at rest, Data in motion (guidance established by NIST) Providers not required to follow guidance o If methodologies ARE used, no breach notification exists Breach Safe Harbor

42 2012 HIPAAAudits

43 A Word About Encryption Audit Findings Encryption and decryption Implement a mechanism to encrypt and decrypt electronic protected health information Encryption was not implemented consistently No negative findings in encryption, Encryption may evolve to a Required Standard Reasonable and appropriate Room for improvement in the formal polices and procedures which addressed encryption.

44 Encryption Strategies for Success Create an inventory of all devices containing ephi including mobile devices Develop Encryption policies. What gets encrypted and to what strength? Implement strong encryption on all devices. Implement Whole Disk Encryption (WDE) o Use FIPS validated solutions Communicate to your workforce

45 Encryption & Integrity Where is ephi stored? Is data at rest & in transit encrypted? owhat type of encryption is used? Is there a firewall? What anti-virus protection is used? owhen & how is it updated & monitored? Any other integrity controls used?

46 Vendor Points to Remember Duties of Vendor that Impact Providers Quality/ effectiveness Guaranteed up-time HIPAA Privacy and Security Compliance Record Keeping Transferability/ exchange Assistance upon termination Vendor must represent and warrant the functionality of the system Vendor must also represent that the system meets the requirements of various standards required under HIPAA

47 Vendor Presentations Whenever possible, ask to see a live demonstration rather than a canned one. Have the right people in the room; whether for an RFP process or the mapping of workflow; include representatives of providers, nurses, medical assistants, IT, security/privacy, front desk, billing, etc. The feedback they will provide from their unique perspectives will be invaluable, and well worth the up front investment of their time.

48 Suggestions for Software Demonstrations How does the EHR restrict bills from being sent to patients homes in the case of minor patients consenting to own treatment? How does the EHR restrict billing to health plans in accordance with patient requests and new HITECH HIPAA requirements? What functions does your EHR have to specially protect (i.e. restrict access) certain patient data? (i.e. substance abuse, mental health, minor consented health information).

49 Demonstrations and Documentation Ask to see the auditing functions. Are they understandable? o Who has access to these features? o Is this limited? Ask to see how difficult it is to: o 1) provide electronic copy of patient data; o 2) paper copy of patient data and how access to those features are configured What training and documentation does the vendor provide for these features?

50 Vendor Questions System Access Role (or user) based access o Does the system allow the organization to create & assign different access roles (to meet minimum necessary requirements)? o Does the vendor assign them? User modifications & terminations Does the organization or the vendor do this? Can access to certain types of records be locked so certain roles are not able to access them (i.e. sensitive records such as mental health, AODA, etc.)?

51 Authentication What type of authentication is used? User ID & Password, or other two-factor? o Does the system work with finger print or id badge sign-on applications? o Does the system work with single sign-on applications? Passwords o o o o o o Strength: at least 8 characters, alpha numeric, and require a character? Frequency to change? Is this forced by the application or something the organization can change? Users may not utilize previous 6 passwords? Users forced to change password after first log-in? What are the default settings? Can settings be changed by users and/or the organization, or only by the vendor?

52 Audit Trails User access What details are included on the audit trail? Is it easy to manipulate the data? How long are audit reports maintained? How easy is it to access meta-data in the case of subpoena? Log-in monitoring Are there system event logs Who monitors them? Can alerts be sent? Does the system lock accounts after 3 unsuccessful

53 General Security Are all of the security features on or is this controlled by the organization? Are there any interdependencies that will impact the confidentiality, integrity, and/or availability of ephi? Have all the security features been tested for reliability? What did the tests show about performing the function correctly, accurately, and with integrity? What other types of security and system support do you provide? Will any of this security cost more or does it come with it? Including support?

54 What Not to Do Don t give staff more rights than they need because it is easier than arguing. It is important to look at all of the rights and permissions in every corner of your System Administrator. Understand each element and assign rights based on minimum necessary. Don t wait! It is much easier to do the hard work now, than to try and fix it later. Talk to staff, ask lots of questions about what they do. Ask about workflow.

55 Question??

56 HIPAA/HITECH Resources Privacy and Security Section of HealthIT.gov: HHS Health IT Privacy and Security Toolkit OCR Guidance: munitypage&parenti d=26&mode=2&in_hi_userid=10732&cached=true OCR HIPAA Privacy Rule Training Materials: OCR Guidance on Significant Aspects of the HIPAA Privacy Rule: ce.html Fast Facts about the HIPAA Privacy Rule: l The HHS Office of Civil Rights, HIPAA FAQs: Guidance materials for Small Providers, Small Health Plans, and other Small Businesses: html OCR s Sample Business Associate Contract Provisions: tml

SECURITY RISK ASSESSMENT SUMMARY

SECURITY RISK ASSESSMENT SUMMARY Providers Business Name: Providers Business Address: City, State, Zip Acronyms NIST FIPS PHI EPHI BA CE EHR HHS IS National Institute of Standards and Technology Federal Information Process Standards Protected

More information

HIPAA Security Alert

HIPAA Security Alert Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information

More information

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, 2014 2:15pm 3:30pm

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, 2014 2:15pm 3:30pm Electronic Health Records: Data Security and Integrity of e-phi Worcester, MA Wednesday, 2:15pm 3:30pm Agenda Introduction Learning Objectives Overview of HIPAA HIPAA: Privacy and Security HIPAA: The Security

More information

HIPAA Security Rule Compliance

HIPAA Security Rule Compliance HIPAA Security Rule Compliance Caryn Reiker MAXIS360 HIPAA Security Rule Compliance what is it and why you should be concerned about it Table of Contents About HIPAA... 2 Who Must Comply... 2 The HIPAA

More information

HIPAA Compliance Review Analysis and Summary of Results

HIPAA Compliance Review Analysis and Summary of Results HIPAA Compliance Review Analysis and Summary of Results Centers for Medicare & Medicaid Services (CMS) Office of E-Health Standards and Services (OESS) Reviews 2008 Table of Contents Introduction 1 Risk

More information

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS Thank you for taking the time to fill out the privacy & security checklist. Once completed, this checklist will help us get a better

More information

What s New with HIPAA? Policy and Enforcement Update

What s New with HIPAA? Policy and Enforcement Update What s New with HIPAA? Policy and Enforcement Update HHS Office for Civil Rights New Initiatives Precision Medicine Initiative (PMI), including Access Guidance Cybersecurity Developer portal NICS Final

More information

Overview of the HIPAA Security Rule

Overview of the HIPAA Security Rule Office of the Secretary Office for Civil Rights () Overview of the HIPAA Security Rule Office for Civil Rights Region IX Alicia Cornish, EOS Sheila Fischer, Supervisory EOS Topics Upon completion of this

More information

Why Lawyers? Why Now?

Why Lawyers? Why Now? TODAY S PRESENTERS Why Lawyers? Why Now? New HIPAA regulations go into effect September 23, 2013 Expands HIPAA safeguarding and breach liabilities for business associates (BAs) Lawyer is considered a business

More information

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice Appendix 4-2: Administrative, Physical, and Technical Safeguards Breach Notification Rule How Use this Assessment The following sample risk assessment provides you with a series of sample questions help

More information

Security Is Everyone s Concern:

Security Is Everyone s Concern: Security Is Everyone s Concern: What a Practice Needs to Know About ephi Security Mert Gambito Hawaii HIE Compliance and Privacy Officer July 26, 2014 E Komo Mai! This session s presenter is Mert Gambito

More information

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011 Nationwide Review of CMS s HIPAA Oversight Brian C. Johnson, CPA, CISA Wednesday, January 19, 2011 1 WHAT I DO Manage Region IV IT Audit and Advance Audit Technique Staff (AATS) IT Audit consists of 8

More information

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 5. 2. Security Standards - Organizational, Security Policies Standards & Procedures, - Administrative and Documentation Safeguards

More information

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com HIPAA Privacy Rule Sets standards for confidentiality and privacy of individually

More information

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009 HIPAA and the HITECH Act Privacy and Security of Health Information in 2009 What is HIPAA? Health Insurance Portability & Accountability Act of 1996 Effective April 13, 2003 Federal Law HIPAA Purpose:

More information

New HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010

New HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010 New HIPAA Breach Notification Rule: Know Your Responsibilities Loudoun Medical Group Spring 2010 Health Information Technology for Economic and Clinical Health Act (HITECH) As part of the Recovery Act,

More information

COMPLIANCE ALERT 10-12

COMPLIANCE ALERT 10-12 HAWAII HEALTH SYSTEMS C O R P O R A T I O N "Touching Lives Every Day COMPLIANCE ALERT 10-12 HIPAA Expansion under the American Recovery and Reinvestment Act of 2009 The American Recovery and Reinvestment

More information

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE How to Use this Assessment The following risk assessment provides you with a series of questions to help you prioritize the development and implementation

More information

Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE

Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE [ Hosting for Healthcare: Addressing the Unique Issues of Health IT & Achieving End-to-End Compliance

More information

HIPAA Compliance Guide

HIPAA Compliance Guide HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care

More information

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification Type of Policy and Procedure Comments Completed Privacy Policy to Maintain and Update Notice of Privacy Practices

More information

FIVE EASY STEPS FOR HANDLING NEW HIPAA REQUIREMENTS & MANAGING YOUR ELECTRONIC COMMUNICATIONS

FIVE EASY STEPS FOR HANDLING NEW HIPAA REQUIREMENTS & MANAGING YOUR ELECTRONIC COMMUNICATIONS FIVE EASY STEPS FOR HANDLING NEW HIPAA REQUIREMENTS & MANAGING YOUR ELECTRONIC COMMUNICATIONS James J. Eischen, Jr., Esq. October 2013 Chicago, Illinois JAMES J. EISCHEN, JR., ESQ. Partner at Higgs, Fletcher

More information

HIPAA Compliance: Are you prepared for the new regulatory changes?

HIPAA Compliance: Are you prepared for the new regulatory changes? HIPAA Compliance: Are you prepared for the new regulatory changes? Baker Tilly CARIS Innovation, Inc. April 30, 2013 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed

More information

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics HIPAA Security S E R I E S Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical

More information

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics HIPAA SERIES Topics 1. 101 for Covered Entities 2. Standards - Administrative Safeguards 3. Standards - Physical Safeguards 4. Standards - Technical Safeguards 5. Standards - Organizational, Policies &

More information

HIPAA Security Series

HIPAA Security Series 7 Security Standards: Implementation for the Small Provider What is the Security Series? The security series of papers provides guidance from the Centers for Medicare & Medicaid Services (CMS) on the rule

More information

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions Table of Contents Understanding HIPAA Privacy and Security... 1 What

More information

Healthcare Compliance Solutions

Healthcare Compliance Solutions Healthcare Compliance Solutions Let Protected Trust be your Safe Harbor In the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH), the U.S. Department of Health and Human

More information

HIPAA Information Security Overview

HIPAA Information Security Overview HIPAA Information Security Overview Security Overview HIPAA Security Regulations establish safeguards for protected health information (PHI) in electronic format. The security rules apply to PHI that is

More information

CHIS, Inc. Privacy General Guidelines

CHIS, Inc. Privacy General Guidelines CHIS, Inc. and HIPAA CHIS, Inc. provides services to healthcare facilities and uses certain protected health information (PHI) in connection with performing these services. Therefore, CHIS, Inc. is classified

More information

VMware vcloud Air HIPAA Matrix

VMware vcloud Air HIPAA Matrix goes to great lengths to ensure the security and availability of vcloud Air services. In this effort VMware has completed an independent third party examination of vcloud Air against applicable regulatory

More information

SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION

SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION Please Note: 1. THIS IS NOT A ONE-SIZE-FITS-ALL OR A FILL-IN-THE BLANK COMPLIANCE PROGRAM.

More information

HIPAA Security. Jeanne Smythe, UNC-CH Jack McCoy, ECU Chad Bebout, UNC-CH Doug Brown, UNC-CH

HIPAA Security. Jeanne Smythe, UNC-CH Jack McCoy, ECU Chad Bebout, UNC-CH Doug Brown, UNC-CH HIPAA Security Jeanne Smythe, UNC-CH Jack McCoy, ECU Chad Bebout, UNC-CH Doug Brown, UNC-CH What is this? Federal Regulations August 21, 1996 HIPAA Became Law October 16, 2003 Transaction Codes and Identifiers

More information

Privacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by:

Privacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by: HIPAA Privacy Officer Orientation Presented by: Cathy Montgomery, RN Privacy Officer Job Description Serve as leader Develop Policies and Procedures Train staff Monitor activities Manage Business Associates

More information

This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in

This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in the HIPAA Omnibus Rule of 2013. As part of the American

More information

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule HIPAA More Important Than You Realize J. Ira Bedenbaugh Consulting Shareholder February 20, 2015 This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record

More information

HIPAA Audit Processes HIPAA Audit Processes. Erik Hafkey Rainer Waedlich

HIPAA Audit Processes HIPAA Audit Processes. Erik Hafkey Rainer Waedlich HIPAA Audit Processes Erik Hafkey Rainer Waedlich 1 Policies for all HIPAA relevant Requirements and Regulations Checklist for an internal Audit Process Documentation of the compliance as Preparation for

More information

HIPAA Security Risk Analysis for Meaningful Use

HIPAA Security Risk Analysis for Meaningful Use HIPAA Security Risk Analysis for Meaningful Use NOTE: Make sure your computer speakers are turned ON. Audio will be streaming through your speakers. If you do not have computer speakers, call the ACCMA

More information

C.T. Hellmuth & Associates, Inc.

C.T. Hellmuth & Associates, Inc. Technical Monograph C.T. Hellmuth & Associates, Inc. Technical Monographs usually are limited to only one subject which is treated in considerably more depth than is possible in our Executive Newsletter.

More information

2011 2012 Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec.

2011 2012 Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec. The OCR Auditors are coming - Are you next? What to Expect and How to Prepare On June 10, 2011, the U.S. Department of Health and Human Services Office for Civil Rights ( OCR ) awarded KPMG a $9.2 million

More information

HIPAA Security. assistance with implementation of the. security standards. This series aims to

HIPAA Security. assistance with implementation of the. security standards. This series aims to HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical

More information

Lessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd

Lessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd Lessons Learned from Recent HIPAA and Big Data Breaches Briar Andresen Katie Ilten Ann Ladd Recent health care breaches Breach reports to OCR as of February 2015 1,144 breaches involving 500 or more individual

More information

Lessons Learned from HIPAA Audits

Lessons Learned from HIPAA Audits Lessons Learned from HIPAA Audits October 29, 2012 Tony Brooks, CISA, CRISC Partner - IT Assurance and Risk Services HORNE LLP AGENDA HIPAA/HITECH Regulations Breaches and Fines OCR HIPAA/HITECH Compliance

More information

HIPAA PRIVACY AND SECURITY FOR EMPLOYERS

HIPAA PRIVACY AND SECURITY FOR EMPLOYERS HIPAA PRIVACY AND SECURITY FOR EMPLOYERS Agenda Background and Enforcement HIPAA Privacy and Security Rules Breach Notification Rules HPID Number Why Does it Matter HIPAA History HIPAA Title II Administrative

More information

HIPAA Compliance. 2013 Annual Mandatory Education

HIPAA Compliance. 2013 Annual Mandatory Education HIPAA Compliance 2013 Annual Mandatory Education What is HIPAA? Health Insurance Portability and Accountability Act Federal Law enacted in 1996 that mandates adoption of Privacy protections for health

More information

HIPAA Security COMPLIANCE Checklist For Employers

HIPAA Security COMPLIANCE Checklist For Employers Compliance HIPAA Security COMPLIANCE Checklist For Employers All of the following steps must be completed by April 20, 2006 (April 14, 2005 for Large Health Plans) Broadly speaking, there are three major

More information

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy Amended as of February 12, 2010 on the authority of the HIPAA Privacy Officer for Creative Solutions in Healthcare, Inc. TABLE OF CONTENTS ARTICLE

More information

Welcome to ChiroCare s Fourth Annual Fall Business Summit. October 3, 2013

Welcome to ChiroCare s Fourth Annual Fall Business Summit. October 3, 2013 Welcome to ChiroCare s Fourth Annual Fall Business Summit October 3, 2013 HIPAA Compliance Regulatory Overview & Implementation Tips for Providers Agenda Green packet Overview of general HIPAA terms and

More information

The HIPAA Security Rule Primer A Guide For Mental Health Practitioners

The HIPAA Security Rule Primer A Guide For Mental Health Practitioners The HIPAA Security Rule Primer A Guide For Mental Health Practitioners Distributed by NASW Printer-friendly PDF 2006 APAPO 1 Contents Click on any title below to jump to that page. 1 What is HIPAA? 3 2

More information

HIPAA Happenings in Hospital Systems. Donna J Brock, RHIT System HIM Audit & Privacy Coordinator

HIPAA Happenings in Hospital Systems. Donna J Brock, RHIT System HIM Audit & Privacy Coordinator HIPAA Happenings in Hospital Systems Donna J Brock, RHIT System HIM Audit & Privacy Coordinator HIPAA Health Insurance Portability and Accountability Act of 1996 Title 1 Title II Title III Title IV Title

More information

Network Security for End Users in Health Care

Network Security for End Users in Health Care Network Security for End Users in Health Care Virginia Health Information Technology Regional Extension Center is funded by grant #90RC0022/01 from the Office of the National Coordinator for Health Information

More information

When HHS Calls, Will Your Plan Be HIPAA Compliant?

When HHS Calls, Will Your Plan Be HIPAA Compliant? When HHS Calls, Will Your Plan Be HIPAA Compliant? Petula Workman, J.D., CEBS Division Vice President Compliance Counsel Gallagher Benefit Services, Inc., Sugar Land, Texas The opinions expressed in this

More information

Compliance Challenges. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard. Increased Audits & On-site Investigations

Compliance Challenges. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard. Increased Audits & On-site Investigations Enabling a HITECH & HIPAA Compliant Organization: Addressing Meaningful Use Mandates & Ensuring Audit Readiness Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard Compliance Mandates Increased

More information

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use Click to edit Master title style Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use Andy Petrovich, MHSA, MPH M-CEITA / Altarum Institute April 8, 2015 4/8/2015 1 1 Who is M-CEITA?

More information

HIPAA Security Rule Safeguards Recommended Standards Developed by: USF HIPAA Security Team May 12, 2005

HIPAA Security Rule Safeguards Recommended Standards Developed by: USF HIPAA Security Team May 12, 2005 INTRODUCTION HIPAA Security Rule Safeguards Recommended Standards Developed by: USF HIPAA Security Team May 12, 2005 The Health Insurance Portability and Accountability Act (HIPAA) Security Rule, as a

More information

Please Read. Apgar & Associates, LLC apgarandassoc.com P. O. Box 80278 Portland, OR 97280 503-384-2538 877-376-1981 503-384-2539 Fax

Please Read. Apgar & Associates, LLC apgarandassoc.com P. O. Box 80278 Portland, OR 97280 503-384-2538 877-376-1981 503-384-2539 Fax Please Read This business associate audit questionnaire is part of Apgar & Associates, LLC s healthcare compliance resources, Copyright 2014. This questionnaire should be viewed as a tool to aid in evaluating

More information

Information Protection Framework: Data Security Compliance and Today s Healthcare Industry

Information Protection Framework: Data Security Compliance and Today s Healthcare Industry Information Protection Framework: Data Security Compliance and Today s Healthcare Industry Executive Summary Today s Healthcare industry is facing complex privacy and data security requirements. The movement

More information

Datto Compliance 101 1

Datto Compliance 101 1 Datto Compliance 101 1 Overview Overview This document provides a general overview of the Health Insurance Portability and Accounting Act (HIPAA) compliance requirements for Managed Service Providers (MSPs)

More information

My Docs Online HIPAA Compliance

My Docs Online HIPAA Compliance My Docs Online HIPAA Compliance Updated 10/02/2013 Using My Docs Online in a HIPAA compliant fashion depends on following proper usage guidelines, which can vary based on a particular use, but have several

More information

Community First Health Plans Breach Notification for Unsecured PHI

Community First Health Plans Breach Notification for Unsecured PHI Community First Health Plans Breach Notification for Unsecured PHI The presentation is for informational purposes only. It is the responsibility of the Business Associate to ensure awareness and compliance

More information

New HIPAA regulations require action. Are you in compliance?

New HIPAA regulations require action. Are you in compliance? New HIPAA regulations require action. Are you in compliance? Mary Harrison, JD Tami Simon, JD May 22, 2013 Discussion topics Introduction Remembering the HIPAA Basics HIPAA Privacy Rules HIPAA Security

More information

Securing the FOSS VistA Stack HIPAA Baseline Discussion. Jack L. Shaffer, Jr. Chief Operations Officer

Securing the FOSS VistA Stack HIPAA Baseline Discussion. Jack L. Shaffer, Jr. Chief Operations Officer Securing the FOSS VistA Stack HIPAA Baseline Discussion Jack L. Shaffer, Jr. Chief Operations Officer HIPAA as Baseline of security: To secure any stack which contains ephi (electonic Protected Health

More information

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist HIPAA Omnibus Rule Overview Presented by: Crystal Stanton MicroMD Marketing Communication Specialist 1 HIPAA Omnibus Rule - Agenda History of the Omnibus Rule What is the HIPAA Omnibus Rule and its various

More information

HIPAA WEBINAR HANDOUT

HIPAA WEBINAR HANDOUT HIPAA WEBINAR HANDOUT OCR Enforcement Tools Voluntary corrective action Resolution Agreement and Payment CMPs Referral to DOJ for criminal investigation Resolution Agreements Contract signed by HHS and

More information

HIPAA and HITECH Compliance for Cloud Applications

HIPAA and HITECH Compliance for Cloud Applications What Is HIPAA? The healthcare industry is rapidly moving towards increasing use of electronic information systems - including public and private cloud services - to provide electronic protected health

More information

M E M O R A N D U M. Definitions

M E M O R A N D U M. Definitions M E M O R A N D U M DATE: November 10, 2011 TO: FROM: RE: Krevolin & Horst, LLC HIPAA Obligations of Business Associates In connection with the launch of your hosted application service focused on practice

More information

HIPAA Security Checklist

HIPAA Security Checklist HIPAA Security Checklist The following checklist summarizes HIPAA Security Rule requirements that should be implemented by covered entities and business associates. The citations are to 45 CFR 164.300

More information

Health Information Privacy Refresher Training. March 2013

Health Information Privacy Refresher Training. March 2013 Health Information Privacy Refresher Training March 2013 1 Disclosure There are no significant or relevant financial relationships to disclose. 2 Topics for Today State health information privacy law Federal

More information

Art Gross President & CEO HIPAA Secure Now! How to Prepare for the 2015 HIPAA Audits and Avoid Data Breaches

Art Gross President & CEO HIPAA Secure Now! How to Prepare for the 2015 HIPAA Audits and Avoid Data Breaches Art Gross President & CEO HIPAA Secure Now! How to Prepare for the 2015 HIPAA Audits and Avoid Data Breaches Speakers Phillip Long CEO at Business Information Solutions Art Gross President & CEO of HIPAA

More information

The HIPAA Security Rule Primer Compliance Date: April 20, 2005

The HIPAA Security Rule Primer Compliance Date: April 20, 2005 AMERICAN PSYCHOLOGICAL ASSOCIATION PRACTICE ORGANIZATION Practice Working for You The HIPAA Security Rule Primer Compliance Date: April 20, 2005 Printer-friendly PDF 1 Contents Click on any title below

More information

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Table of Contents Introduction... 1 1. Administrative Safeguards...

More information

Policies and Compliance Guide

Policies and Compliance Guide Brooklyn Community Services Policies and Compliance Guide relating to the HIPAA Security Rule June 2013 Table of Contents INTRODUCTION... 3 GUIDE TO BCS COMPLIANCE WITH THE HIPAA SECURITY REGULATION...

More information

HIPAA Compliance Guide

HIPAA Compliance Guide HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care

More information

HIPAA Audits: How to Be Prepared. Lindsey Wiley, MHA, CHTS-IM, CHTS-TS HIT Manager Oklahoma Foundation for Medical Quality

HIPAA Audits: How to Be Prepared. Lindsey Wiley, MHA, CHTS-IM, CHTS-TS HIT Manager Oklahoma Foundation for Medical Quality HIPAA Audits: How to Be Prepared Lindsey Wiley, MHA, CHTS-IM, CHTS-TS HIT Manager Oklahoma Foundation for Medical Quality An Important Reminder For audio, you must use your phone: Step 1: Call (866) 906-0123.

More information

HIPAA: In Plain English

HIPAA: In Plain English HIPAA: In Plain English Material derived from a presentation by Kris K. Hughes, Esq. Posted with permission from the author. The Health Insurance Portability and Accountability Act of 1996 (HIPAA), Pub.

More information

Guidance on Risk Analysis Requirements under the HIPAA Security Rule

Guidance on Risk Analysis Requirements under the HIPAA Security Rule Guidance on Risk Analysis Requirements under the HIPAA Security Rule Introduction The Office for Civil Rights (OCR) is responsible for issuing annual guidance on the provisions in the HIPAA Security Rule.

More information

HIPAA: Bigger and More Annoying

HIPAA: Bigger and More Annoying HIPAA: Bigger and More Annoying Instructor: Laney Kay, JD Contact information: 4640 Hunting Hound Lane Marietta, GA 30062 (770) 312-6257 (770) 998-9204 (fax) laney@laneykay.com www.laneykay.com OFFICIAL

More information

The Basics of HIPAA Privacy and Security and HITECH

The Basics of HIPAA Privacy and Security and HITECH The Basics of HIPAA Privacy and Security and HITECH Protecting Patient Privacy Disclaimer The content of this webinar is to introduce the principles associated with HIPAA and HITECH regulations and is

More information

HIPAA Security. 6 Basics of Risk Analysis and Risk Management. Security Topics

HIPAA Security. 6 Basics of Risk Analysis and Risk Management. Security Topics HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical

More information

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This

More information

Proofpoint HIPAA Breach Report:

Proofpoint HIPAA Breach Report: Proofpoint HIPAA Breach Report: An Analysis of HITECH Breach Notifications and Settlements, Q1 2013 Healthcare Industry Update threat protection compliance archiving & governance secure communication Contents

More information

HIPAA/HITECH: A Guide for IT Service Providers

HIPAA/HITECH: A Guide for IT Service Providers HIPAA/HITECH: A Guide for IT Service Providers Much like Arthur Dent in the opening scene of The Hitchhiker s Guide to the Galaxy (HHGTTG), you re experiencing the impact of new legislation that s infringing

More information

Using Data Encryption to Achieve HIPAA Safe Harbor in the Cloud

Using Data Encryption to Achieve HIPAA Safe Harbor in the Cloud Using Data Encryption to Achieve HIPAA Safe Harbor in the Cloud 1 Contents The Obligation to Protect Patient Data in the Cloud................................................... Complying with the HIPAA

More information

HIPAA and Mental Health Privacy:

HIPAA and Mental Health Privacy: HIPAA and Mental Health Privacy: What Social Workers Need to Know Presenter: Sherri Morgan, JD, MSW Associate Counsel, NASW Legal Defense Fund and Office of Ethics & Professional Review 2010 National Association

More information

Healthcare to Go: Securing Mobile Healthcare Data

Healthcare to Go: Securing Mobile Healthcare Data Healthcare to Go: Securing Mobile Healthcare Data Lee Kim, Esq. SANS Mobile Device Security Summit 2013 May 30, 2013 Copyright 2013 Lee Kim 1 Why Information Security is Essential for Healthcare Safeguard

More information

8/3/2015. Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice

8/3/2015. Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice Monday, August 3, 2015 1 How to ask a question during the webinar If you dialed in to this webinar on your phone

More information

HIPAA: Protecting Your. Ericka L. Adler. Practice and Your Patients

HIPAA: Protecting Your. Ericka L. Adler. Practice and Your Patients HIPAA: Protecting Your Ericka L. Adler Practice and Your Patients Rachel V. Rose Fallout from the Omnibus Rule Compliance strategies for medical practices 1. Know / manage your business associates and

More information

Telemedicine HIPAA/HITECH Privacy and Security

Telemedicine HIPAA/HITECH Privacy and Security Telemedicine HIPAA/HITECH Privacy and Security 1 Access Control Role Based Access The organization shall provide secure rolebased account management. Privileges granted utilizing the principle of least

More information

UNIVERSITY OF CALIFORNIA, SANTA CRUZ 2015 HIPAA Security Rule Compliance Workbook

UNIVERSITY OF CALIFORNIA, SANTA CRUZ 2015 HIPAA Security Rule Compliance Workbook Introduction Per UCSC's HIPAA Security Rule Compliance Policy 1, all UCSC entities subject to the HIPAA Security Rule ( HIPAA entities ) must implement the UCSC Practices for HIPAA Security Rule Compliance

More information

Federal Breach Notification Decision Tree and Tools

Federal Breach Notification Decision Tree and Tools Federal Breach Notification and Tools Disclaimer This document is copyright 2013 by the Long Term Care Consortium (LTCC). These materials may be reproduced and used only by long-term health care providers

More information

What Virginia s Free Clinics Need to Know About HIPAA and HITECH

What Virginia s Free Clinics Need to Know About HIPAA and HITECH What Virginia s Free Clinics Need to Know About HIPAA and HITECH This document is one in a series of tools and white papers produced by the Virginia Health Care Foundation to help Virginia s free clinics

More information

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits HIPAA Breaches, Security Risk Analysis, and Audits Derrick Hill Senior Health IT Advisor Kentucky REC Why Does Privacy and Security Matter? Trust Who Must Comply with HIPAA Rules? Covered Entities (CE)

More information

HIPAA 101. March 18, 2015 Webinar

HIPAA 101. March 18, 2015 Webinar HIPAA 101 March 18, 2015 Webinar Agenda Acronyms to Know HIPAA Basics What is HIPAA and to whom does it apply? What is protected by HIPAA? Privacy Rule Security Rule HITECH Basics Breaches and Responses

More information

HIPAA Security Education. Updated May 2016

HIPAA Security Education. Updated May 2016 HIPAA Security Education Updated May 2016 Course Objectives v This computer-based learning course covers the HIPAA, HITECH, and MSHA Privacy and Security Program which includes relevant Information Technology(IT)

More information

Patient Privacy and Security. Presented by, Jeffery Daigrepont

Patient Privacy and Security. Presented by, Jeffery Daigrepont Patient Privacy and Security Presented by, Jeffery Daigrepont Jeffery Daigrepont, SVP No Financial Conflicts to Report Jeffery Daigrepont, Senior Vice President of The Coker Group, specializes in health

More information

Healthcare Compliance Solutions

Healthcare Compliance Solutions Privacy Compliance Healthcare Compliance Solutions Trust and privacy are essential for building meaningful human relationships. Let Protected Trust be your Safe Harbor The U.S. Department of Health and

More information

HIPAA Assessment HIPAA Policy and Procedures

HIPAA Assessment HIPAA Policy and Procedures Sample Client HIPAA Assessment HIPAA Policy and Procedures Sample Client Prepared by: InhouseCIO, LLC CONFIDENTIALITY NOTE: The information contained in this report document is for the exclusive use of

More information

INFORMATION SECURITY & HIPAA COMPLIANCE MPCA

INFORMATION SECURITY & HIPAA COMPLIANCE MPCA INFORMATION SECURITY & HIPAA COMPLIANCE MPCA Annual Conference August 5, 201 Agenda 1 HIPAA 2 The New Healthcare Paradigm Internal Compliance 4 Conclusion 2 1 HIPAA 1 Earning Their Trust 4 HIPAA 5 Health

More information

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing HIPAA Omnibus Rule Practice Impact Kristen Heffernan MicroMD Director of Prod Mgt and Marketing 1 HIPAA Omnibus Rule Agenda History of the Rule HIPAA Stats Rule Overview Use of Personal Health Information

More information

California State University, Sacramento INFORMATION SECURITY PROGRAM

California State University, Sacramento INFORMATION SECURITY PROGRAM California State University, Sacramento INFORMATION SECURITY PROGRAM 1 I. Preamble... 3 II. Scope... 3 III. Definitions... 4 IV. Roles and Responsibilities... 5 A. Vice President for Academic Affairs...

More information