HIPAA security rules of engagement

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "HIPAA security rules of engagement"

Transcription

1 healthcare HIPAA security rules of engagement The use of health information technology continues to expand in healthcare. Healthcare organizations are using web-based applications and other portals that give physicians, nurses, medical staff, administrative employees and patients increased access to electronic health information. Providers are also using clinical applications such as electronic health records (EHR), radiology, pharmacy, and laboratory systems. This means that the medical workforce and healthcare consumers have quick access to critical health information while being more mobile. While technology provides these and many other opportunities and benefits they also create an increase in potential security risks and pose new risks to patient privacy. This means that the medical workforce and healthcare consumers have quick access to critical health information while being more mobile.

2 HIPAA and HITECH The Health Insurance Portability and Accountability Act of 1996 (HIPAA) establishes national standards to protect individuals electronic personal health information (ephi) that is created, received, used, or maintained by a covered entity. The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2008 was created to strengthen the privacy and security protections for health information established under HIPAA by expanding on the existing requirements. The current HIPAA requirements encompass five categories of rules: 1. Privacy Rule protects the privacy of individually identifiable health information. The Privacy Rule (45 CFR Part 160 and Subparts A and E of Part 164) was adopted as a final Rule in August the Privacy Rule applies to all forms of patients PHI, whether electronic, written, or oral. In contrast, the Security Rule covers PHI that is in electronic form. 2. Security Rule sets national standards for the security of ephi. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. The Security Rule is found at 45 CFR Part 160 and Part 164, Subparts A and C. The Security Management Process standard in the Security Rule requires organizations to [i]mplement policies and procedures to prevent, detect, contain, and correct security violations. (45 C.F.R (a)(1).) Risk analysis is one of four required implementation specifications that provide instructions to implement the Security Management Process standard. The Security Management Process standard requires covered entities (healthcare organizations) to implement policies and procedures to prevent, detect, contain, and correct security violations. (45 C.F.R (a)(1).) 3. Breach Notification Rule requires covered entities and business associates to provide notification following a breach of unsecured protected health information if the breach affects 500 or more people. 4. Patient Safety Rule protects identifiable information being used to analyze patient safety events and improve patient safety. 5. Omnibus Rule expands the requirements to business associates of covered entities for those that receive protected health information. HIPAA Business Associates/Business Vendors will now be subject to the same HIPAA Security Rule Requirements, Use and Disclosure Limitations as the Covered Entity and will be subject to audit and fines by U.S. Department of Health and Human Services. This rule is a critical step in insuring ephi privacy and security as some of the largest breaches reported to HHS have involved business associates. This was effective as of March 26, Both business associates and their subcontractors must now develop comprehensive, written HIPAA security policies and procedures. They also must implement the safeguards mandated by the HIPAA Security Rule. Business associates also must now enter into written contracts with subcontractors that contain specific provisions required by the HIPAA Privacy and Security Rules. Previously, business associates were only required to ensure that subcontractors agree to the same restrictions on the use and disclosure of PHI. Omnibus Rule expands the requirements to business associates of covered entities for those that receive protected health information.

3 Who must comply with the HIPAA Act? It s important that covered entities and business associates understand and fully comply with the HIPAA Act as the Act requires the Department of Health and Human Services (HHS) to provide for periodic audits to ensure covered entities and business associates are in adherence with the HIPAA Privacy and Security Rules and Breach Notification standards. A covered entity covers three groups of individual or corporate entities: health care providers, health plans, and health care clearinghouses i. In general, any provider of medical or other healthcare services or supplies that transmits any health information in electronic form. Not all healthcare organizations must comply with the HIPAA Rules; for example, Organ Donation organizations do not (see 45 CFR for the few statutory exemptions.) A business associate is an individual or corporate person that performs on behalf of the covered entity any function or activity involving the use or disclosure of PHI and is not a member of the covered entity s workforce. This can include a volunteer, consultant, subcontractor, perdiem nurse, laboratory, collection agencies, message services, IT vendor, or other similar persons or businesses. This white paper focuses on the HIPAA Privacy and Security Rules. The Privacy Rule sets the standards for who may have access to PHI, while the Security Rule sets the standards for ensuring that only those who should have access to PHI will actually have access. It s important to note that the Privacy Rule applies to all forms of patients PHI, whether electronic, written, or oral. In contrast, the Security Rule covers PHI that is in electronic form. HIPAA rules The HIPAA Security Rule establishes national standards to protect individuals ephi that is created, received, used, or maintained by a covered entity. In developing the Security Rule, HHS chose to closely reflect the requirements of the final Privacy Rule (adopted as a final Rule in August 2002). As a result, covered entities that have implemented the Privacy Rule requirements in their organizations may find that they ve already taken many of the measures necessary to comply with the Security Rule. In addition, healthcare organizations that have met the Core Requirement # 15 Conduct or Review a Security Risk Analysis per 45 CFR (a)(1) required to qualify for incentive dollars associated with Meaningful Use have also taken steps to comply with the Security Rule. The security needs of covered entities can vary significantly, therefore the security standards were designed to provide guidelines to all types of covered entities; small, large, multi-facility, single facility, hospital, physician group practice, clinic, etc. The standards allow a covered entity to choose technologies and security measures that best meet its specific needs and ability to comply with the standards. In deciding which technologies and security measures to implement, a covered entity should take into account its size, capabilities, the costs of the specific security measures, and the operational impact. For example, larger entities may feel that penetrations testing of electronic systems are warranted while a two physician practice would not. Organizations need to implement technology to record and examine suspicious activity down to the user level. Administrative, physical and technical safeguards The HIPAA Security Rule poses a challenge for health organization implementation from a technological as well as a compliance and policy perspective. Organizations need to implement hardware, software, and procedural mechanisms that record and examine activity in information systems that contain or use ephi. They also need to review mechanisms that must be deployed to record and examine system activity to determine suspicious data activities. The audit capability must be such that it enables tracing not just to the device, but also to the user. This is becoming more important as the number and usage of cloud services increases. Currently, there are over 2,000 cloud services with hundreds being created every few months. It is difficult for a covered entity to manually identify which cloud services are being utilized by employees and the riskiness level of the cloud services when identified. Some cloud services, such as Carbonite.com, have a lower level of risk while others, such as Google cloud service, an unsecured platform, are very risky. Recently a medical center learned that its residents and physiciansin-training used Google to share data on over 3,000 patients. In another example of cloud usage exposing ephi, a two person physician practice was fined USD 100,000 for using a cloud based calendar application, among other things. The Security Rule requires administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of ephi. Administrative Administrative requirements are of a policy and procedural nature to protect data integrity, confidentiality, and availability. They re non-technical in nature and do not directly affect technical implementation. However, administrative procedures should take into account technology issues and deployments should conform to existing organizational administrative procedures. These requirements include delegation of security responsibility to an individual, workforce HIPAA and Security training, a Security Risk Assessment, and Security Risk Evaluation.

4 Physical Safeguards Physical Safeguards represent policy level controls and technology solutions to protect electronic systems, equipment and the data they hold, from threats, environmental hazards and unauthorized access or exploitation. These requirements represent practices to prevent unauthorized access to facilities and physical devices such as workstations and electronic media, to ensure adequate backup and recovery of systems and data and proper usage, storage, and disposal of devices. Technical Safeguards Technical Safeguards are the automated processes used to protect and control access to data. This includes authentication controls to verify that a person is authorized to access the ephi, hardware and software audit controls, PHI integrity controls and encrypting and decrypting data during transmission and storage. While the three safeguards discussed above comprise the majority of the standards and implementation specifications under the Security Rule, there are four other standards that must be implemented. Collectively, these are referred to as the Organizational requirements which address (1) Business Associate Contracts and Other Arrangements (2) Requirements for Group Health Plans, (3) Policies and Procedures and (4) Documentation Requirements. Within the administrative, physical and technical safeguards, the Security Rule specifications are labeled either required or addressable. If a specification is labeled required, the covered entity must implement policies and/or procedures that meet what the implementation specification requires. A common misconception is that an addressable implementation specification is optional. If an implementation specification is labeled addressable, then the covered entity must assess whether it s a reasonable and appropriate safeguard in the entity s environment. If an organization determines that the implementation specification is not reasonable and appropriate, the organization must document why it s not reasonable and appropriate. Otherwise, it must adopt an equivalent measure if it is reasonable and appropriate to do so. It is anticipated that there will be an increase in the frequency of the audits in the future as it is expected that OCR will use proceeds from the fines to fund their activities. Periodic evaluations If your organization is like many, you may have performed a Risk Assessment and drafted the required policies, but you may not be performing a regular audit or updated your policies. To comply with HIPAA and MU incentive programs, you must continue to review, correct or modify, and update security protections on a periodic basis (yearly for MU). For HIPAA, the need for a new evaluation is driven by changes to the security environment since the last evaluation. For example, if the covered entity has experienced a security incident or is planning to implement new technology, the potential risk should be analyzed to ensure the ephi is protected. The evaluation is for both the technical and non-technical components of security. If it s determined that existing security measures are not sufficient to protect against the risks associated with the changes to the security environment then the entity must determine if additional security measures are needed. This evaluation may be performed internally or by an external firm, which would be acting as a business associate. HHS OCR security audits As was mentioned earlier, the HITECH Act requires HHS to provide for periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification standards. For years HIPAA privacy and security rules had not been enforced and healthcare entities had little to worry about in terms of being audited for HIPAA compliance. That has all changed and every covered entity and business associate is eligible for an audit. In general, the objectives of the audits are to assess if all vulnerabilities have been addressed and verify that all compliance requirements have been met. The HHS Office for Civil Rights (OCR) is responsible for performing the audits and enforcing the rules. As part of the audit, entity personnel are interviewed and documentation is requested and reviewed. The actual HIPAA Audit covers the following three areas: Privacy Rule - notice of privacy practices for PHI - rights to request privacy protection for PHI - access of individuals to PHI - administrative requirements - uses and disclosures of PHI - amendment of PHI - accounting of disclosures Security Rule - administrative, physical, and technical safeguards Breach Notification Rule The OCR released a checklist for HIPAA Onsite Investigations and Compliance Audit Reviews which details the lists of personnel who may be interviewed and documents that may be requested (Table 1 - HIPAA Audit Checklist, proceeding page) ii. The OCR asks for a significant amount of information which must be presented in a very short period of time. It would be nearly impossible for an organization to pull this information together if they didn t have all the required documentation already in place. Let this be a warning - you won t be able to pull together a Risk Assessment at the last minute.

5 Typical compliance shortfalls No organization is 100% secure; however an organization needs to be in a position to show OCR that it has tried with a good faith effort to comply with the law of the Privacy and Security Rule 45 C.F.R Understanding where other covered entities have come up short can show an organization where they should focus additional attention. During 2008, CMS performed reviews of 10 Health Covered Entities to verify compliance with the Security Rule iii. After completing reviews, CMS performed an analysis on the identified compliance issues to determine areas where CEs appeared to struggle to comply with the Security Rule. These areas included: risk assessment currency of policies and procedures security training workforce clearance workstation security encryption Later, in 2012, OCR performed an audit pilot program with 115 covered entities. Audits conducted through June of 2012 found similar compliance shortfalls as found in 2008 including an absence of periodic Risk Assessments, inadequate Policy and Procedure, lack of priority for HIPAA Compliance programs, and poorly managed third-party risks. As of December 2012, findings from the audits show that iv : smaller entities had more issues than larger entities Security Rule compliance problems were more of an issue than Privacy Rule compliance problems entities have been faulted for a lack of policies and procedures directly addressing mobile technology tracking, authentication, and security including encryption Security Rule issues often reflected IT issues involving: - user activity monitoring - authentication and system integrity - user access permissions - media reuse/destruction The audit program also identified the most common HIPAA vulnerabilities as being: paper files flash drives laptops social media EHR review of your own or others information safeguards not in place (e.g., white boards, elevator conversation) 1. Personnel that may be interviewed President, CEO or Director HIPAA Compliance Officer Lead Systems Manager or Director Systems Security Officer Table 1 - HIPAA Audit Checklist for HIPAA Onsite Investigations and Compliance Audit Reviews Lead Network Engineer and/or individuals responsible for: - administration of systems which store, transmit, or access Electronic Protected Health Information - administration systems networks (wired and wireless) - monitoring of systems which store, transmit, or access EPHI - monitoring systems networks (if different from above) - Computer Hardware Specialist - Disaster Recovery Specialist or person in charge of data backup - Facility Access Control Coordinator (physical security) - Human Resources Representative - Director of Training - Incident Response Team Leader - others as identified.

6 Table 1 - HIPAA Audit Checklist for HIPAA Onsite Investigations and Compliance Audit Reviews (continued) 2. Documents and other information that may be requested for investigations/reviews policies and procedures and other evidence that address the following: - prevention, detection, containment, and correction of security violations - employee background checks and confidentiality agreements - establishing user access for new and existing employees - list of authentication methods used to identify users authorized to access EPHI - list of individuals and contractors with access to EPHI to include copies pertinent business associate agreements - list of software used to manage and control access to the Internet - detecting, reporting, and responding to security incidents (if not in the security plan) - physical security - encryption and decryption of EPHI - mechanisms to ensure integrity of data during transmission - including portable media transmission (i.e. laptops, cell phones, blackberries, thumb drives) - monitoring systems use - authorized and unauthorized - use of wireless networks - granting, approving, and monitoring systems access (for example, by level, role, and job function) - sanctions for workforce members in violation of policies and procedures governing EPHI access or use - termination of systems access - session termination policies and procedures for inactive computer systems - policies and procedures for emergency access to electronic information systems - password management policies and procedures - secure workstation use (documentation of specific guidelines for each class of workstation (i.e., on site, laptop, and home system usage) - disposal of media and devices containing EPHI other documents: - Entity-wide Security Plan - Risk Analysis (most recent) - Risk Management Plan (addressing risks identified in the Risk Analysis) - security violation monitoring reports - vulnerability scanning plans - results from most recent vulnerability scan - network penetration testing policy and procedure - results from most recent network penetration test - list of all user accounts with access to systems which store, transmit, or access EPHI (for active and terminated employees) - configuration standards to include patch management for systems which store, transmit, or access EPHI (including workstations) - encryption or equivalent measures implemented on systems that store, transmit, or access EPHI - organization chart to include staff members responsible for general HIPAA compliance to include the protection of EPHI - examples of training courses or communications delivered to staff members to ensure awareness and understanding of EPHI policies and procedures (security awareness training) - policies and procedures governing the use of virus protection software - data backup procedures - disaster recovery plan - disaster recovery test plans and results - analysis of information systems, applications, and data groups according to their criticality and sensitivity - inventory of all information systems to include network diagrams listing hardware and software used to store, transmit or maintain EPHI - list of all Primary Domain Controllers (PDC) and servers - inventory log recording the owner and movement media and devices that contain EPHI

7 HIPAA violations HIPAA violations can lead to substantial penalties and burdensome corrective action plans. Just in the recent past: In 2010, the Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates Inc. agreed to pay USD 1.5 million to the federal government to resolve allegations that it violated the Health Insurance Portability and Accountability Act Security Rule by failing to properly protect patients protected health information maintained on an unencrypted laptop. The investigation indicated that Massachusetts Eye and Ear had failed to take steps to comply with some Security Rule requirements, including ensuring data maintained on portable devices was protected from unauthorized users and that procedures were in place for identifying and reporting data security incidents. Take away: Although encryption is not a requirement under the HIPAA Security Rule, it does provide a safe harbor in the event of a security incident. If a device (laptop, desktop, USB drive, DVD, etc.) that contains ephi is lost or stolen and the device is encrypted, the covered entity does not have to report the breach. Encryption dramatically reduces the liability of storing ephi on desktops, laptops and portable devices. The Alaska Department of Health and Social Services was handed a USD 1.7 million fine by the OCR. The Alaska agency lost a USB drive with 501 patient s information which led to an investigation by OCR. During the investigation numerous HIPAA violations were uncovered. Based on the severity of the fine it appears that OCR found the Alaska agency to be in Willful Neglect of the HIPAA regulations including had not performed a current Risk Assessment, lack of required policies and procedures, and lack of employee security training. Take away: Many audits will be the result of a breach. The OCR will investigate the breach and perform a full HIPAA audit. The HIPAA Security Rule mandates that all covered entities perform a Risk Assessment to determine how ephi is being protected and to recommend additional safeguards. A Risk Assessment is the foundation of the HIPAA Security Rule. If an organization gets audited, one of the first questions is going to be: Where is your latest Risk Assessment? On February 19, 2009, OCR notified Phoenix Cardiac Surgery of its initiation of an investigation of a complaint alleging that it had impermissibly disclosed ephi by making it publicly available on the Internet via an Internetbased calendar and Internet-based . Ultimately, it was fined USD 100,000 and told to implement a corrective action plan. An audit identified that the practice: did not provide and document training of each workforce member on PHI failed to have in place appropriate and reasonable administrative and technical safeguards to protect the privacy of PHI posted over 1,000 separate entries of ephi on a publicly accessible, Internetbased calendar transmitted ephi from an Internet-based account to workforce members personal Internet-based accounts on a daily basis failed to identify a security official failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of the ephi failed to obtain satisfactory assurances in business associates agreements from the Internet-based calendar and from the Internet-based public providers that these entities would appropriately safeguard the ephi received from Covered Entity Take away: Many audits will be the result of a complaint. The OCR doesn t care how small an entity is (in this case a two physician practice) that they may not have known that they were breaking the law, or that many other healthcare entities are running their practices in a similar manner; OCR will investigate and fine based on the HIPAA Rules. It would be nearly impossible for an organization to pull this information together if they didn t have all the required documentation already in place

8 HIPAA penalties OCR may fine or otherwise penalize the covered entities if they have not met the HIPAA regulations. Penalties were previously capped at USD 25,000 for multiple violations of the same provision in a single calendar year, but they have been increased for non-compliance based on the level of negligence with a maximum penalty of USD 1.5 million per violation. These HIPAA fines can be devastating to an organization as they re usually not covered by general liability insurance. There are specific insurance policies, called HIPAA/ cyber insurance that provide coverage for HIPAA associated fines, and expenses related to data breaches. Interestingly, some of the insurance policies require an organization to attest that they re compliant with HIPAA regulations; have implemented security best practices, etc. So an organization can t avoid being compliant. A penalty will not be imposed for violations in certain circumstances such as if: the failure to comply was not due to willful neglect, and was corrected during a 30-day period after the entity knew or should have known the failure to comply had occurred (unless the period is extended at the discretion of OCR) the Department of Justice has imposed a criminal penalty for the failure to comply In addition, OCR has the option to reduce a penalty if the failure to comply was due to reasonable cause and the penalty would be excessive given the nature and extent of the non-compliance. Before OCR imposes a penalty, it must notify the covered entity and provide the covered entity with an opportunity to provide written evidence of circumstances that would reduce or bar a penalty. This evidence must be submitted by the covered entity to OCR within 30 days of receipt of the notice. In addition, if OCR states that it intends to impose a penalty, a covered entity has the right to request an administrative hearing to appeal the proposed penalty v. An organization may feel that the chance of being audited by a random OCR HIPAA audits is very small so it doesn t need to worry. Those organizations should remember that security breaches and complaints can lead to investigations. And recent events indicate that the number of major breaches is increasing vi : The number of major PHI breaches in 2012 increased by more than 21% compared with the previous year. Two-thirds of major breaches results from theft or loss, 38% of breaches come from unencrypted laptops and other portable devices, and 57% involve a business associate. The threat of hacking is real 780,000 Utah Department of Public Health Medicaid and CHIP recipients were affected by a server being hacked. Breaches by business associates historically affect five times more patient records than breaches at covered entities. Cloud service breaches are becoming more prevalent and are expected to increase as the number of cloud services increases. It s anticipated that there will be an increase in the frequency of the audits in the future as it s expected that OCR will use proceeds from the fines to fund their activities. These HIPAA fines can be devastating to an organization as they are usually not covered by an organization s general liability insurance. Conclusion Implementing HIPAA security will enable a covered entity to put into place security measures that will protect patient information and lower the risk of having security breaches. Training employees on how to protect patient information will help them understand what is required to protect information and familiarize them with security best practices. Avoiding data breaches will eliminate the associated damage to an organization and protect from loss of revenue. Data breaches can have long-term damaging effects to an organization s reputation that could potentially prevent prospective patients from purchasing services. Avoiding data breaches can protect a covered entities revenue and reputation. Remember, at a minimum, a successful compliance program includes: regular Risk Assessments action plan to respond to incidents analyze, evaluate, and correct potential risk areas implementation of privacy and security policies and procedures technology to record and examine suspicious activity down to the user level employee training business associate agreements

9 Dimension Data Healthcare Our associates have extensive experience assisting clients in the acute, ambulatory, diagnostic services, and other care provider environments, delivering access and information at the point of care. We ve been responsible for creating and implementing the technical designs for many hospitals, clinical data centers, and the Cisco LifeConnections Health Center and Pharmacy. We provide HIPAA services and solutions including HIPAA Risk Assessments, Contingency Planning, Security Audit and Evaluation, Security Policy and Procedures, and Managed Recovery Services. To learn more about how we can assist you or to access other healthcare related white papers, please visit our website: References i As defined by 45 C.F.R that transmits health information in electronic form in connection with a transaction covered by 45 C.F.R. Part 162 ii Please note that the interview and information request document is not a comprehensive list of applicable investigation/review areas nor does it attempt to address all noncompliance scenarios. iii enforcement/ cmscompliancerev 08.pdf iv HIPAA Audits and the New Audit Protocol, Developing and Ensuring HIPAA and HITECH Privacy and Security Compliance, media.straffordpub.com/products/ hipaa-auditsand-the-new-auditprotocol /presentation.pdf v HHS.org, Enforcement and Penalties for Noncompliance, gov/ocr/privacy/hipaa/understanding/ summary/index.html; Enforcement and Penalties for Noncompliance vi The 3rd Breach Report/Protected Health Information from Redspin Inc We ve been responsible for creating and implementing the technical designs for many hospitals, clinical data centers, and the Cisco LifeConnections Health Center and Pharmacy.

10 Middle East & Africa Asia Australia Europe Americas Algeria Angola Botswana Congo Burundi Democratic Republic of the Congo Gabon Ghana Kenya Malawi Mauritius Morocco Mozambique Namibia Nigeria Oman Rwanda Saudi Arabia South Africa Tanzania Uganda United Arab Emirates Zambia China Hong Kong India Indonesia Japan Korea Malaysia New Zealand Philippines Singapore Taiwan Thailand Vietnam Australian Capital Territory New South Wales Queensland South Australia Victoria Western Australia Austria Belgium Czech Republic France Germany Hungary Italy Ireland Luxembourg Netherlands Poland Portugal Slovakia Spain Switzerland United Kingdom Brazil Canada Chile Mexico United States For contact details in your region please visit dimensiondata.com/globalpresence

How do you manage the brain of the business in a way that supports the opportunities your organisation wants to take advantage of?

How do you manage the brain of the business in a way that supports the opportunities your organisation wants to take advantage of? As the world becomes a more competitive place, businesses need to respond at lightning speed to take advantage of new opportunities or avoid risks. To enable this, the data centre needs to be a dynamic

More information

Governance, Risk and Compliance Assessment

Governance, Risk and Compliance Assessment Governance, Risk and Compliance Assessment Information security is a pervasive business requirement and one that no organisation can afford to get wrong. If it s not handled properly, your business could

More information

best practice guide The Three Pillars of a Secure Hybrid Cloud Environment

best practice guide The Three Pillars of a Secure Hybrid Cloud Environment best practice guide The Three Pillars of a Secure Hybrid Cloud Environment best practice guide The Three Pillars of a Secure Hybrid Cloud Environment Introduction How sound risk management, transparency

More information

Four steps to improving cloud security and compliance

Four steps to improving cloud security and compliance white paper Four steps to improving cloud security and compliance Despite the widespread proliferation of cloud computing, IT decision makers still express major concerns about security, compliance, and

More information

Hybrid Wide-Area Network Application-centric, agile and end-to-end

Hybrid Wide-Area Network Application-centric, agile and end-to-end Hybrid Wide-Area Network Application-centric, agile and end-to-end How do you close the gap between the demands on your network and your capabilities? Wide-area networks, by their nature, connect geographically

More information

I can finally afford UC without making a huge upfront investment. COO, market leader in the health care industry

I can finally afford UC without making a huge upfront investment. COO, market leader in the health care industry 1 I can finally afford UC without making a huge upfront investment. COO, market leader in the health care industry 2 Contents 01 Investing in an anytime, anywhere, connected workforce 02 On-premise, hybrid,

More information

Dimension Data s Uptime Support Service

Dimension Data s Uptime Support Service Dimension Data s Uptime Support Service As more technology enters the world, and is introduced into organisations, the typical IT environment increases in complexity. Businesses require higher levels of

More information

Dimension Data s Uptime Maintenance Service

Dimension Data s Uptime Maintenance Service Dimension Data s Uptime Maintenance Service The pace of business today simply doesn t allow for downtime. When systems go off-line, productivity drops, time and money go to waste and opportunities are

More information

Big Gets Bigger, Smaller Gets Smaller

Big Gets Bigger, Smaller Gets Smaller latest thinking Big Gets Bigger, Smaller Gets Smaller The data centre market is entering a period of unprecedented transition. With this shift comes a number of significant and perhaps surprising changes.

More information

opinion piece Eight Simple Steps to Effective Software Asset Management

opinion piece Eight Simple Steps to Effective Software Asset Management opinion piece Eight Simple Steps to Effective Software Asset Management Contents Step 1: Collate your licence agreements 01 Step 2: Determine your actual licence position 01 Step 3: Understand your existing

More information

3D Workspace: a new dimension to your desktop

3D Workspace: a new dimension to your desktop 3D Workspace: a new dimension to your desktop The desktop management landscape has changed As the world of work changes, so do the mechanics of IT management and delivery. Technology advances like virtualised

More information

We d Like That on Our Laptops, Notebooks, Tablets and Smartphones, Please

We d Like That on Our Laptops, Notebooks, Tablets and Smartphones, Please latest thinking We d Like That on Our Laptops, Notebooks, Tablets and Smartphones, Please Enabling enterprise mobility with Microsoft System Center and cloud Enterprise mobility is no longer the domain

More information

Private Cloud for Every Organization

Private Cloud for Every Organization white paper Private Cloud for Every Organization Leveraging the community cloud As more organizations today seek to gain benefit from the flexibility and scalability of cloud environments, many struggle

More information

opinion piece IT Security and Compliance: They can Live Happily Ever After

opinion piece IT Security and Compliance: They can Live Happily Ever After opinion piece IT Security and Compliance: They can Live Happily Ever After Contents Pitfalls, misconceptions and mistakes 01 It s not all doom and gloom 01 Take the right steps towards compliance and IT

More information

Contact Centre Integration Assessment

Contact Centre Integration Assessment Contact Centre Integration Assessment How well are your business objectives aligned with the right contact centre technologies? Knowing how the technology in your contact centre supports service delivery

More information

Security Assessment and Compliance Services

Security Assessment and Compliance Services Security Assessment and Compliance Services Despite the best efforts of IT security teams, hackers and malicious code continue to find their way into corporate networks. Adding to the pressure is the fact

More information

It s critical to be able to correlate threats pre-emptively and respond to them immediately.

It s critical to be able to correlate threats pre-emptively and respond to them immediately. Security has become a much deeper executive discussion because of the modern diversity of channels through which businesses can be attacked. Mobility, bring your own device, virtualisation, the cloud,

More information

Cloud Services for Microsoft

Cloud Services for Microsoft The success of your business depends on your ability to adapt to a dynamic market environment, where globalisation and economic pressures are reshaping the landscape. To remain competitive, your organisation

More information

Flexible Cloud Services to Compete

Flexible Cloud Services to Compete white paper Service Providers Need Flexible Cloud Services to Compete Enterprise Customers Demand Flexible Cloud Solutions When the concept of cloud services first came about, there was a great deal of

More information

IP Trading Solutions

IP Trading Solutions In many mature financial organisations, middle-and back-office functions already collaborate via high-quality, well-integrated voice and video traffic. Their trading floors, on the other hand, still operate

More information

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011 Nationwide Review of CMS s HIPAA Oversight Brian C. Johnson, CPA, CISA Wednesday, January 19, 2011 1 WHAT I DO Manage Region IV IT Audit and Advance Audit Technique Staff (AATS) IT Audit consists of 8

More information

HIPAA Security Rule Compliance

HIPAA Security Rule Compliance HIPAA Security Rule Compliance Caryn Reiker MAXIS360 HIPAA Security Rule Compliance what is it and why you should be concerned about it Table of Contents About HIPAA... 2 Who Must Comply... 2 The HIPAA

More information

Software-as-a-service Delivery: The Build vs. Buy Decision

Software-as-a-service Delivery: The Build vs. Buy Decision white paper Software-as-a-service Delivery: The Build vs. Buy Decision Introduction In order to deliver software on-demand, companies must either build and manage an infrastructure capable of supporting

More information

Cloud Readiness Consulting Services

Cloud Readiness Consulting Services Cloud Readiness Consulting Services Globalisation and economic pressures are changing the business landscape, increasing the pressure to expedite time-to-market with new products and services, while keeping

More information

best practice guide BYO-What? 6 Lessons Learnt in Making Mobility Work

best practice guide BYO-What? 6 Lessons Learnt in Making Mobility Work best practice guide BYO-What? 6 Lessons Learnt in Making Mobility Work Businesses are immersed in an era of mobility. Whether it s connecting workers on the road, developing work-from-home policies, or

More information

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics HIPAA SERIES Topics 1. 101 for Covered Entities 2. Standards - Administrative Safeguards 3. Standards - Physical Safeguards 4. Standards - Technical Safeguards 5. Standards - Organizational, Policies &

More information

best practice guide Moving Exchange to the Cloud: 5 Really Practical Best Practices

best practice guide Moving Exchange to the Cloud: 5 Really Practical Best Practices best practice guide Moving Exchange to the Cloud: 5 Really Practical Best Practices To successfully replicate your environment, you need a thorough understanding of what it comprises and how it s used.

More information

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits HIPAA Breaches, Security Risk Analysis, and Audits Derrick Hill Senior Health IT Advisor Kentucky REC Why Does Privacy and Security Matter? Trust Who Must Comply with HIPAA Rules? Covered Entities (CE)

More information

HIPAA Security Compliance Reviews

HIPAA Security Compliance Reviews HIPAA Security Compliance Reviews Elizabeth S. Holland, MPA Office of E-Health Standards and Services Centers for Medicare & Medicaid Services U.S. Department of Health and Human Services 1 2 What is HIPAA?

More information

Overview of the HIPAA Security Rule

Overview of the HIPAA Security Rule Office of the Secretary Office for Civil Rights () Overview of the HIPAA Security Rule Office for Civil Rights Region IX Alicia Cornish, EOS Sheila Fischer, Supervisory EOS Topics Upon completion of this

More information

Sustainable Solutions. Switch to future thinking

Sustainable Solutions. Switch to future thinking Switch to future thinking Increased global competition, rapid advances in technology, risks from natural disasters, resource shortages today s business leaders must adapt to operating in a changing world,

More information

Cloud Readiness Workshop

Cloud Readiness Workshop Globalisation and economic pressures are changing the business landscape, increasing the pressure to expedite time-to-market with new products and services, while keeping costs down. In addition, for many

More information

Managed Service for IP Telephony. Enabling organisations to focus on core revenue generating activities

Managed Service for IP Telephony. Enabling organisations to focus on core revenue generating activities Enabling organisations to focus on core revenue generating activities Your business needs reliable, flexible and secure communication tools to enable better connectivity and collaboration with your employees,

More information

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, 2014 2:15pm 3:30pm

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, 2014 2:15pm 3:30pm Electronic Health Records: Data Security and Integrity of e-phi Worcester, MA Wednesday, 2:15pm 3:30pm Agenda Introduction Learning Objectives Overview of HIPAA HIPAA: Privacy and Security HIPAA: The Security

More information

Burning Dollars Top Five Trends in US Telecom Spend

Burning Dollars Top Five Trends in US Telecom Spend white paper Burning Dollars Top Five Trends in US Telecom Spend Telecom costs are among the largest operating expenses for organizations worldwide. Yet, they re often the most inconsistently managed. So

More information

HIPAA Compliance Guide

HIPAA Compliance Guide HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care

More information

Managed Service for Visual Communications

Managed Service for Visual Communications Managed Service for Visual Communications Managed Service for Visual Communications Videoconferencing can have multiple benefits in your organisation. It can help your employees be more productive and

More information

Desktop Virtualisation Solutions. Adapting to a new reality in client computing

Desktop Virtualisation Solutions. Adapting to a new reality in client computing Desktop Virtualisation Solutions Adapting to a new reality in client computing Adapting to a new reality Businesses today are increasingly realising not only the inevitability of consumer-owned, mobile

More information

best practice guide How to measure the real ROI of virtualisation

best practice guide How to measure the real ROI of virtualisation best practice guide How to measure the real ROI of virtualisation In the face of a global economic crisis, the CFO is often found at the helm of the company. This is because IT spending constitutes a significant

More information

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com HIPAA Privacy Rule Sets standards for confidentiality and privacy of individually

More information

OCR Reports on the Enforcement. Learning Objectives 4/1/2013. HIPAA Compliance/Enforcement (As of December 31, 2012) HCCA Compliance Institute

OCR Reports on the Enforcement. Learning Objectives 4/1/2013. HIPAA Compliance/Enforcement (As of December 31, 2012) HCCA Compliance Institute OCR Reports on the Enforcement of the HIPAA Rules HCCA Compliance Institute April 22, 2013 David Holtzman Sr. Health IT & Privacy Specialist U.S. Department of Health and Human Services Office for Civil

More information

OCR Reports on the Enforcement. Learning Objectives

OCR Reports on the Enforcement. Learning Objectives OCR Reports on the Enforcement of the HIPAA Rules HCCA Compliance Institute April 22, 2013 David Holtzman Sr. Health IT & Privacy Specialist U.S. Department of Health and Human Services Office for Civil

More information

Understanding the 12 Requirements of PCI DSS

Understanding the 12 Requirements of PCI DSS opinion piece Understanding the 12 Requirements of PCI DSS Practical steps to achieve and maintain compliance Regardless of whether you are a retailer, service provider or a bank, if you process any form

More information

Why Lawyers? Why Now?

Why Lawyers? Why Now? TODAY S PRESENTERS Why Lawyers? Why Now? New HIPAA regulations go into effect September 23, 2013 Expands HIPAA safeguarding and breach liabilities for business associates (BAs) Lawyer is considered a business

More information

From Server to Service

From Server to Service opinion piece From Server to Service Demystifying messaging in the cloud The information technology industry is characterised by more change than any other in modern times. The evolution, and sometimes

More information

Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style.

Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style. Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style March 27, 2013 www.mcguirewoods.com Introductions Holly Carnell McGuireWoods LLP

More information

HIPAA Omnibus Compliance How A Data Loss Prevention Solution Can Help

HIPAA Omnibus Compliance How A Data Loss Prevention Solution Can Help HIPAA Omnibus Compliance How A Data Loss Prevention Solution Can Help The Health Information Portability and Accountability Act (HIPAA) Omnibus Rule which will begin to be enforced September 23, 2013,

More information

opinion piece Fragmenting DLP assessment, implementation, and management is counter-intuitive

opinion piece Fragmenting DLP assessment, implementation, and management is counter-intuitive opinion piece Fragmenting DLP assessment, implementation, and management is counter-intuitive Contents Introduction 01 Having the cake and eating it 01 Holistic = end to end 01 The devil is in the detail

More information

HIPAA Secure Now! How MSPs Can Profit From Selling HIPAA security services

HIPAA Secure Now! How MSPs Can Profit From Selling HIPAA security services HIPAA Secure Now! How MSPs Can Profit From Selling HIPAA security services How MSPs can profit from selling HIPAA security services Managed Service Providers (MSP) can use the Health Insurance Portability

More information

Security Solutions Much of the pressure lands on the IT team. mobile and geographically dispersed workforce conducting regular assessments turn this

Security Solutions Much of the pressure lands on the IT team. mobile and geographically dispersed workforce conducting regular assessments turn this Security Solutions Today, your business doesn t just rely on IT, it s dependent on secure IT. Against the backdrop of a constantly evolving security threat landscape, increased demands around compliance

More information

2011 2012 Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec.

2011 2012 Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec. The OCR Auditors are coming - Are you next? What to Expect and How to Prepare On June 10, 2011, the U.S. Department of Health and Human Services Office for Civil Rights ( OCR ) awarded KPMG a $9.2 million

More information

HIPAA and HITECH Compliance for Cloud Applications

HIPAA and HITECH Compliance for Cloud Applications What Is HIPAA? The healthcare industry is rapidly moving towards increasing use of electronic information systems - including public and private cloud services - to provide electronic protected health

More information

HIPAA Compliance Guide

HIPAA Compliance Guide HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care

More information

Lessons Learned from HIPAA Audits

Lessons Learned from HIPAA Audits Lessons Learned from HIPAA Audits October 29, 2012 Tony Brooks, CISA, CRISC Partner - IT Assurance and Risk Services HORNE LLP AGENDA HIPAA/HITECH Regulations Breaches and Fines OCR HIPAA/HITECH Compliance

More information

HIPAA Compliance Review Analysis and Summary of Results

HIPAA Compliance Review Analysis and Summary of Results HIPAA Compliance Review Analysis and Summary of Results Centers for Medicare & Medicaid Services (CMS) Office of E-Health Standards and Services (OESS) Reviews 2008 Table of Contents Introduction 1 Risk

More information

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant 1 HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant Introduction U.S. healthcare laws intended to protect patient information (Protected Health Information or PHI) and the myriad

More information

Are You Ready for an OCR Audit? Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS. What would you do? Session Objectives

Are You Ready for an OCR Audit? Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS. What would you do? Session Objectives Are You Ready for an OCR Audit? Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS What would you do? Your organization received a certified letter sent from the Office for Civil Rights (OCR)

More information

Datto Compliance 101 1

Datto Compliance 101 1 Datto Compliance 101 1 Overview Overview This document provides a general overview of the Health Insurance Portability and Accounting Act (HIPAA) compliance requirements for Managed Service Providers (MSPs)

More information

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 5. 2. Security Standards - Organizational, Security Policies Standards & Procedures, - Administrative and Documentation Safeguards

More information

HIPAA COMPLIANCE AND DATA PROTECTION. sales@eaglenetworks.it +39 030 201.08.25 Page 1

HIPAA COMPLIANCE AND DATA PROTECTION. sales@eaglenetworks.it +39 030 201.08.25 Page 1 HIPAA COMPLIANCE AND DATA PROTECTION sales@eaglenetworks.it +39 030 201.08.25 Page 1 CONTENTS Introduction..... 3 The HIPAA Security Rule... 4 The HIPAA Omnibus Rule... 6 HIPAA Compliance and EagleHeaps

More information

The Basics of HIPAA Privacy and Security and HITECH

The Basics of HIPAA Privacy and Security and HITECH The Basics of HIPAA Privacy and Security and HITECH Protecting Patient Privacy Disclaimer The content of this webinar is to introduce the principles associated with HIPAA and HITECH regulations and is

More information

The HIPAA Audit Program

The HIPAA Audit Program The HIPAA Audit Program Anna C. Watterson Davis Wright Tremaine LLP The U.S. Department of Health and Human Services (HHS) was given authority, and a mandate, to conduct periodic audits of HIPAA 1 compliance

More information

Compliance Challenges. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard. Increased Audits & On-site Investigations

Compliance Challenges. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard. Increased Audits & On-site Investigations Enabling a HITECH & HIPAA Compliant Organization: Addressing Meaningful Use Mandates & Ensuring Audit Readiness Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard Compliance Mandates Increased

More information

HIPAA Audits: How to Be Prepared. Lindsey Wiley, MHA, CHTS-IM, CHTS-TS HIT Manager Oklahoma Foundation for Medical Quality

HIPAA Audits: How to Be Prepared. Lindsey Wiley, MHA, CHTS-IM, CHTS-TS HIT Manager Oklahoma Foundation for Medical Quality HIPAA Audits: How to Be Prepared Lindsey Wiley, MHA, CHTS-IM, CHTS-TS HIT Manager Oklahoma Foundation for Medical Quality An Important Reminder For audio, you must use your phone: Step 1: Call (866) 906-0123.

More information

HIPAA Compliance: Are you prepared for the new regulatory changes?

HIPAA Compliance: Are you prepared for the new regulatory changes? HIPAA Compliance: Are you prepared for the new regulatory changes? Baker Tilly CARIS Innovation, Inc. April 30, 2013 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed

More information

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule HIPAA More Important Than You Realize J. Ira Bedenbaugh Consulting Shareholder February 20, 2015 This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record

More information

Application Security No Longer a Pipe Dream

Application Security No Longer a Pipe Dream opinion piece opinion piece Application Security No Longer a Pipe Dream Application Security No Longer a Pipe Dream Security professionals who find themselves struggling to chart a course through the application

More information

Ensure Optimal Infrastructure Support for Mobility

Ensure Optimal Infrastructure Support for Mobility white paper Ensure Optimal Infrastructure Support for Mobility The technology industry has reached a watershed moment. Today, the enterprise is on the move as employee adoption of mobile devices, like

More information

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Table of Contents Introduction... 1 1. Administrative Safeguards...

More information

Sunday March 30, 2014, 9am noon HCCA Conference, San Diego

Sunday March 30, 2014, 9am noon HCCA Conference, San Diego Meaningful Use as it Relates to HIPAA Compliance Sunday March 30, 2014, 9am noon HCCA Conference, San Diego CLAconnect.com Objectives and Agenda Understand the statutory and regulatory background and purpose

More information

best practice guide 7 Best Practices to Make Telecom Expense Management Work for Your Business

best practice guide 7 Best Practices to Make Telecom Expense Management Work for Your Business best practice guide 7 Best Practices to Make Telecom Expense Management Work for Your Business With a global economy that remains under pressure, organisations around the world are looking for reliable

More information

Procurement and Logistics Service. Overcoming the challenges and complexities of international business

Procurement and Logistics Service. Overcoming the challenges and complexities of international business Procurement and Logistics Service Overcoming the challenges and complexities of international business There are massive benefits in expanding your organisation into new international territories. You

More information

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know Note: Information provided to NCRA by Melodi Gates, Associate with Patton Boggs, LLC Privacy and data protection

More information

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist HIPAA Omnibus Rule Overview Presented by: Crystal Stanton MicroMD Marketing Communication Specialist 1 HIPAA Omnibus Rule - Agenda History of the Omnibus Rule What is the HIPAA Omnibus Rule and its various

More information

Vermont Information Technology Leaders

Vermont Information Technology Leaders Vermont Information Technology Leaders HIPAA COMPLIANCE POLICIES AND PROCEDURES Policy Number: InfoSec 1 Policy Title: Information Privacy and Security Management Process IDENT INFOSEC1 Type of Document:

More information

HIPAA Enforcement. Emily Prehm, J.D. Office for Civil Rights U.S. Department of Health and Human Services. December 18, 2013

HIPAA Enforcement. Emily Prehm, J.D. Office for Civil Rights U.S. Department of Health and Human Services. December 18, 2013 Office of the Secretary Office for Civil Rights () HIPAA Enforcement Emily Prehm, J.D. Office for Civil Rights U.S. Department of Health and Human Services December 18, 2013 Presentation Overview s investigative

More information

HIPAA COMPLIANCE PLAN FOR 2013

HIPAA COMPLIANCE PLAN FOR 2013 HIPAA COMPLIANCE PLAN FOR 2013 Welcome! Presentor is Rebecca Morehead, Practice Manager Strategist www.practicemanagersolutions.com Meaningful Use? As a way to encourage hospitals and providers to adopt

More information

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions Table of Contents Understanding HIPAA Privacy and Security... 1 What

More information

2016 OCR AUDIT E-BOOK

2016 OCR AUDIT E-BOOK !! 2016 OCR AUDIT E-BOOK About BlueOrange Compliance: We specialize in healthcare information privacy and security solutions. We understand that each organization is busy running its business and that

More information

Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE

Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE [ Hosting for Healthcare: Addressing the Unique Issues of Health IT & Achieving End-to-End Compliance

More information

Healthcare Compliance Solutions

Healthcare Compliance Solutions Privacy Compliance Healthcare Compliance Solutions Trust and privacy are essential for building meaningful human relationships. Let Protected Trust be your Safe Harbor The U.S. Department of Health and

More information

What do you need to know?

What do you need to know? What do you need to know? DISCLAIMER Please note that the information provided is to inform our clients and friends of recent HIPAA and HITECH act developments. It is not intended, nor should it be used,

More information

3 Steps to Transform your Business with Next-Generation Networking

3 Steps to Transform your Business with Next-Generation Networking e-guide The Wireless Revolution 3 Steps to Transform your Business with Next-Generation Networking Welcome to the era of the Wireless Revolution! With easy access to technology, setting up a wireless network

More information

best practice guide Software-as-a-service Operations: Step-by-Step Best Practices

best practice guide Software-as-a-service Operations: Step-by-Step Best Practices best practice guide Software-as-a-service Operations: Step-by-Step Best Practices Introduction Faced with intensifying competition, as well as a desire for more stable revenue streams and stronger customer

More information

best practice guide Rise Above Unreliable Videoconferencing

best practice guide Rise Above Unreliable Videoconferencing best practice guide Rise Above Unreliable Videoconferencing It s no secret that videoconferencing can have a positive impact on employee productivity, business agility, time-to-market, collaboration and

More information

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE How to Use this Assessment The following risk assessment provides you with a series of questions to help you prioritize the development and implementation

More information

best practice guide Network Management How to Lose the Frustration, Not the Control

best practice guide Network Management How to Lose the Frustration, Not the Control best practice guide Network Management How to Lose the Frustration, Not the Control best practice guide Network Management How to Lose the Frustration, Not the Control So much of your organisation s success

More information

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice Appendix 4-2: Administrative, Physical, and Technical Safeguards Breach Notification Rule How Use this Assessment The following sample risk assessment provides you with a series of sample questions help

More information

HIPAA PRIVACY AND SECURITY AWARENESS

HIPAA PRIVACY AND SECURITY AWARENESS HIPAA PRIVACY AND SECURITY AWARENESS Introduction The Health Insurance Portability and Accountability Act (known as HIPAA) was enacted by Congress in 1996. HIPAA serves three main purposes: To protect

More information

HIPAA Security Alert

HIPAA Security Alert Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information

More information

Security Is Everyone s Concern:

Security Is Everyone s Concern: Security Is Everyone s Concern: What a Practice Needs to Know About ephi Security Mert Gambito Hawaii HIE Compliance and Privacy Officer July 26, 2014 E Komo Mai! This session s presenter is Mert Gambito

More information

HIPAA Security Series

HIPAA Security Series 7 Security Standards: Implementation for the Small Provider What is the Security Series? The security series of papers provides guidance from the Centers for Medicare & Medicaid Services (CMS) on the rule

More information

OCRA Spring Convention ~ 2014 Phyllis Craver Lykken, RPR, CLR, CCR 2463. Court Reporters and HIPAA

OCRA Spring Convention ~ 2014 Phyllis Craver Lykken, RPR, CLR, CCR 2463. Court Reporters and HIPAA Court Reporters and HIPAA OCRA Spring Convention ~ 2014 Phyllis Craver Lykken, RPR, CLR, CCR 2463 1 What Exactly is HIPAA? HIPAA is an acronym for the Health Insurance Portability and Accountability Act

More information

What Virginia s Free Clinics Need to Know About HIPAA and HITECH

What Virginia s Free Clinics Need to Know About HIPAA and HITECH What Virginia s Free Clinics Need to Know About HIPAA and HITECH This document is one in a series of tools and white papers produced by the Virginia Health Care Foundation to help Virginia s free clinics

More information

The Case For HIPAA Risk Assessment. Leader s Guide

The Case For HIPAA Risk Assessment. Leader s Guide 4547 The Case For HIPAA Risk Assessment Leader s Guide IMPORTANT INFORMATION FOR EDUCATION COORDINATORS & PROGRAM FACILITATORS PLEASE NOTE: In order for this program to meet Florida course requirements,

More information

Securing today s data centre

Securing today s data centre white paper Securing today s data centre The intelligent use of data is core to achieving business success. There is, therefore, an indisputable need to safeguard the data centre, where most data in its

More information

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing HIPAA Omnibus Rule Practice Impact Kristen Heffernan MicroMD Director of Prod Mgt and Marketing 1 HIPAA Omnibus Rule Agenda History of the Rule HIPAA Stats Rule Overview Use of Personal Health Information

More information

M E M O R A N D U M. Definitions

M E M O R A N D U M. Definitions M E M O R A N D U M DATE: November 10, 2011 TO: FROM: RE: Krevolin & Horst, LLC HIPAA Obligations of Business Associates In connection with the launch of your hosted application service focused on practice

More information

HIPAA Security Overview of the Regulations

HIPAA Security Overview of the Regulations HIPAA Security Overview of the Regulations Presenter: Anna Drachenberg Anna Drachenberg has been assisting healthcare providers and hospitals comply with HIPAA and other federal regulations since 2008.

More information