Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE
|
|
- Arabella Dorsey
- 8 years ago
- Views:
Transcription
1 Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE
2 [ Hosting for Healthcare: Addressing the Unique Issues of Health IT & Achieving End-to-End Compliance ] ii CONTENTS OVERVIEW...1 ADDRESSING THE UNIQUE ISSUES OF HEALTHCARE...3 THE CONSEQUENCES OF NOT COMPLYING...5 THE RISK OF A DATA BREACH...6 PARTNERING TO ACHIEVE END-TO-END COMPLIANCE...7
3 [ Hosting for Healthcare: Addressing the Unique Issues of Health IT & Achieving End-to-End Compliance ] 1 OVERVIEW As those that work in healthcare IT know, the healthcare industry has some of the most complex IT needs of all industries that exist today. However, HIPAA and related healthcare IT requirements are some of the most nonprescriptive in the IT space, especially when compared to other standards such as PCI, which is used to protect payment card information in financial services organizations. With more than 14 million individuals employed in the industry in the United States, protecting the privacy and confidentiality of a patients electronic medical health records from unauthorized access is paramount to achieving compliance with federal regulatory laws such as the Healthcare Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health (HITECH) Act, the American Recovery and Reinvestment Act and other laws that apply to healthcare organizations.
4 [ Hosting for Healthcare: Addressing the Unique Issues of Health IT & Achieving End-to-End Compliance ] 2 Organizations subject to HIPAA, referred to as covered entities, or organizations delivering services to covered entities, known as business associates per the HITECH Act include: Healthcare providers such as doctors, hospitals, etc. Healthcare insurance and health plan clearinghouses Businesses who self-insure Businesses that sponsor a group health plan and provide assistance to their employees on medical coverage Businesses that deliver services to other healthcare providers Per these regulatory laws, covered entities and business associates are required to ensure the following safeguards on patient data in order to remain compliant: Administrative safeguards to protect data integrity, confidentiality and availability of electronic protected health information (ephi) Physical safeguards to protect data integrity, confidentiality and availability of ephi Technical safeguards to protect data integrity, confidentiality and availability of ephi Meeting this array of requirements demands healthcare entities set up strong processes, methods and controls to assure auditors that security and integrity of PHI and ephi is guaranteed, all while EHR are beginning to be used. In addition, the HITECH Act was signed into law in 2009 and increases the use of Electronic Health Records (EHR) by physicians and hospitals. The Medicare EHR Incentive Program began in 2011, through which eligible healthcare providers are offered financial incentives for adopting, implementing, upgrading or demonstrating meaningful use of EHR. The incentive payments will continue through 2016, which is the last year to begin participation in the program. Beginning in 2015, penalties may be levied for failing to demonstrate meaningful use. Incentives will be offered until 2015, after which time penalties may be levied for failing to demonstrate such use. The Medicaid EHR Incentive Program s incentive payments will continue through 2021, however the last year that an eligible healthcare professional can begin participation in the program will be Meeting this array of requirements demands healthcare entities set up strong processes, methods and controls to assure auditors that security and integrity of PHI and ephi is guaranteed, all while EHR are being used. Maintaining the security of patient data is a complex proposition that affects every employee of a healthcare facility, every area of its IT system, and all vendors, partners and insurers that work with the healthcare provider. These requirements become even more complex when organizations work with the single largest healthcare program in the world, TRICARE. TRICARE is the healthcare program serving uniformed service members, retirees and their families worldwide. Now, not only are healthcare organizations required to protect PHI and ephi, they re also required to support civilian and DoD IT requirements FISMA and DIACAP.
5 [ Hosting for Healthcare: Addressing the Unique Issues of Health IT & Achieving End-to-End Compliance ] 3 Addressing the Unique Issues of Healthcare To ensure PHI and ephi, covered entities and business associates must abide by the following standards. REQUIREMENT 1. Breach Notification Policy 2. Security Management Process 3. Risk Analysis DESCRIPTION Define how Covered Entity will respond to security and/or privacy incidents or suspected privacy and/or security incidents that result in a breach. Describes processes the organization implements to prevent, detect, contain and correct security violations relative to its ephi. Discusses what the organization should do to identify, define and prioritize risks to the confidentiality, integrity and availability of its ephi. 4. Risk Management Defines what the organization should do to reduce the risks to its ephi to reasonable and appropriate levels. 5. Sanction Policy Indicates actions that are to be taken against employees who do not comply with organizational security policies and procedures. 6. Information System Activity Review Describes processes for regular organizational review of activity on its information systems containing ephi. 7. Assigned Security Responsibility Describes the requirements for the responsibilities of the Information Security Officer. 8. Workforce Security 9. Authorization and/or Supervision Describes what the organization should do to ensure ephi access occurs only by employees who have been appropriately authorized. Identifies what the organization should do to ensure that all employees who can access its ephi are appropriately authorized or supervised. 10. Workforce Clearance Procedure Reviews what the organization should do to ensure that employee access to its ephi is appropriate. 11. Termination Procedures Defines what the organization should do to prevent unauthorized access to its ephi by former employees. 12. Information Access Management Indicates what the organization should do to ensure that only appropriate and authorized access is made to its ephi. 13. Access Authorization Defines how the organization provides authorized access to its ephi. 14. Access Establishment and Modification Discusses what the organization should do to establish, document, review and modify access to its ephi. 15. Security Awareness & Training Describes elements of the organizational program for regularly providing appropriate security training and awareness to its employees. 16. Security Reminders Defines what the organization should do to provide ongoing security information and awareness to its employees. 17. Protection from Malicious Software 18. Log-in Monitoring 19. Password Management 20. Security Incident Procedures Indicates what the organization should do to provide regular training and awareness to its employees about its process for guarding against, detecting and reporting malicious software. Discusses what the organization should do to inform employees about its process for monitoring log-in attempts and reporting discrepancies. Describes what the organization should do to maintain an effective process for appropriately creating, changing and safeguarding passwords. Discusses what the organization should do to maintain a system for addressing security incidents that may impact the confidentiality, integrity or availability of its ephi. 21. Response and Reporting Defines what the organization should do to be able to effectively respond to security incidents involving its ephi. 22. Contingency Plan Identifies what the organization should do to be able to effectively respond to emergencies or disasters that impact its ephi. 23. Data Backup Plan Discusses organizational processes to regularly back up and securely store ephi. 24. Disaster Recovery Plan 25. Emergency Mode Operation Plan 26. Testing and Revision Procedure 27. Applications and Data Criticality Analysis 28. Evaluation 29. Business Associate Contracts and Other Arrangements 30. Facility Access Controls Indicates what the organization should do to create a disaster recovery plan to recover ephi that was impacted by a disaster. Discusses what the organization should do to establish a formal, documented emergency mode operations plan to enable the continuance of crucial business processes that protect the security of its ephi during and immediately after a crisis situation. Describes what the organization should do to conduct regular testing of its disaster recovery plan to ensure that it is up-to-date and effective. Reviews what the organization should do to have a formal process for defining and identifying the criticality of its information systems. Describes what the organization should do to regularly conduct a technical and non-technical evaluation of its security controls and processes in order to document compliance with its own security policies and the HIPAA Security Rule. Describes how to establish agreements that should exist between the organization and its various business associates that create, receive, maintain or transmit ephi on its behalf. Describes what the organization should do to appropriately limit physical access to the information systems contained within its facilities, while ensuring that properly authorized employees can physically access such systems.
6 [ Hosting for Healthcare: Addressing the Unique Issues of Health IT & Achieving End-to-End Compliance ] Contingency Operations 32. Facility Security Plan 33. Access Control and Validation Procedures 34. Maintenance Records Identifies what the organization should do to have formal, documented procedures for allowing authorized employees to enter its facility to take necessary actions as defined in its disaster recovery and emergency mode operations plans. Discusses what the organization should do to establish a facility security plan to protect its facilities and the equipment therein. Discusses what the organization should do to appropriately control and validate physical access to its facilities containing information systems having ephi or software programs that can access ephi. Defines what the organization should do to document repairs and modifications to the physical components of its facilities related to the protection of its ephi. 35. Workstation Use Indicates what the organization should do to appropriately protect its workstations. 36. Workstation Security 37. Device and Media Controls 38. Disposal Reviews what the organization should do to prevent unauthorized physical access to workstations that can access ephi while ensuring that authorized employees have appropriate access. Discusses what the organization should do to appropriately protect information systems and electronic media containing PHI that are moved to various organizational locations. Describes what the organization should do to appropriately dispose of information systems and electronic media containing ephi when it is no longer needed. 39. Media Re-use Discusses what the organization should do to erase ephi from electronic media before re-using the media. 40. Accountability 41. Data Backup and Storage 42. Access Control 43. Unique User Identification 44. Emergency Access Procedure 45. Automatic Logoff 46. Encryption and Decryption 47. Audit Controls Defines what the organization should do to appropriately track and log all movement of information systems and electronic media containing ephi to various organizational locations. Discusses what the organization should do to backup and securely store ephi on its information systems and electronic media. Indicates what the organization should do to purchase and implement information systems that comply with its information access management policies. Discusses what the organization should do to assign a unique identifier for each of its employees who access its ephi for the purpose of tracking and monitoring use of information systems. Discusses what the organization should do to have a formal, documented emergency access procedure enabling authorized employees to obtain required ephi during the emergency. Discusses what the organization should do to develop and implement procedures for terminating users' sessions after a certain period of inactivity on systems that contain or have the ability to access ephi. Discusses what the organization should do to appropriately use encryption to protect the confidentiality, integrity and availability of its ephi. Discusses what the organization should do to record and examine significant activity on its information systems that contain or use ephi. 48. Integrity Defines what the organization should do to appropriately protect the integrity of its ephi. 49. Mechanism to Authenticate Electronic Protected Health Information 50. Person or Entity Authentication 51. Transmission Security 52. Integrity Controls 53. Encryption Discusses what the organization should do to implement appropriate electronic mechanisms to confirm that its ephi has not been altered or destroyed in any unauthorized manner. Defines what the organization should do to ensure that all persons or entities seeking access to its ephi are appropriately authenticated before access is granted. Describes what the organization should do to appropriately protect the confidentiality, integrity and availability of the ephi it transmits over electronic communications networks. Indicates what the organization should do to maintain appropriate integrity controls that protect the confidentiality, integrity and availability of the ephi it transmits over electronic communications networks. Defines what the organization should do to appropriately use encryption to protect the confidentiality, integrity and availability of ephi it transmits over electronic communications networks. 54. Policies and Procedures Defines what the requirements are relative to establishing organizational policies and procedures. 55. Documentation 56. Isolating Healthcare Clearinghouse Function 57. Group Health Plan Requirements 58. Wireless Security Policy 59. Security Policy Discusses what the organization should do to appropriately maintain, distribute and review the security policies and procedures it implements to comply with the HIPAA Security Rule. Purpose is to implement policies and procedures that protect the electronic protected health information of the clearinghouse from unauthorized access by the larger organization. The purpose is to ensure that reasonable and appropriate safeguards are maintained on electronic protected health information created, received, maintained or transmitted to or by the plan sponsor on behalf of the group health plan. The purpose is to implement security measures sufficient to reduce risks and vulnerabilities of the wireless infrastructure. The purpose is to establish management direction, procedure, and requirements to ensure safe and successful delivery of Analog Line Policy The purpose is to explains Company's analog and ISDN line acceptable use and approval policies and procedures. 61. Dial-in Access Policy The purpose is to implement security measures sufficient to reduce risks and vulnerabilities of dial-in connections to the enterprise infrastructure. 62. Automatically Forwarded Policy The purpose is to prevent the unauthorized or inadvertent disclosure of sensitive company information.
7 [ Hosting for Healthcare: Addressing the Unique Issues of Health IT & Achieving End-to-End Compliance ] Remote Access Policy The purpose is to implement security measures sufficient to reduce risks and vulnerabilities of remote access connections to the enterprise infrastructure. 64. Ethics Policy The purpose is to establish a culture of openness, trust and integrity in business practices. 65. VPN Security Policy 66. Extranet Policy 67. Internet DMZ Equipment Policy The purpose is to implement security measures sufficient to reduce the risks and vulnerabilities of the VPN infrastructure. The purpose is to describes the policy under which third party organizations connect to Company's networks for the purpose of transacting business related to Company. The purpose is to define standards to be met by all equipment owned and/or operated by Company located outside Company's corporate Internet firewalls. 68. Network Security Policy The purpose is to establish requirements for information processed by computer networks. The Consequences of Not Complying While complying with HIPAA used to be perceived as optional, the HITECH Act of 2009 gave HIPAA compliance some long-awaited teeth. Today, both HIPAA and the HITECH Act have consistent enforcement under the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Just ask Cignet Health. In 2009, for the first time in history, federal officials issued a civil monetary penalty (CMP) to a healthcare organization for violations of the HIPAA privacy rule. When Cignet Health of Prince George s County, Md. failed to provide 41 patients with access to their medical records and then failed to cooperate with federal investigators, HHS imposed a CMP of $4.3 million for the violations. In a Notice of Proposed Determination issued Oct. 20, 2010, the OCR found that Cignet violated 41 patients rights by denying them access to their medical records when requested between September 2008 and October These patients individually filed complaints with OCR, initiating investigations of each complaint. Because the HIPAA Privacy Rule requires that a covered entity provide a patient with a copy of their medical records within 30 (and no later than 60) days of the patient s request, Cignet s CMP began at $1.3 million. Making matters worse for Cignet, OCR also found that the medical service provider failed to cooperate with OCR s investigations on a continuing daily basis from March 17, 2009, to April 7, OCR found that the failure to cooperate was due to Cignet s willful neglect to comply with the Privacy Rule, which states that covered entities are required under law to cooperate with the Department s investigations. Based on the violation categories and increased penalty amounts authorized by Section 13410(d) of the HITECH Act, Cignet s fine was increased by an additional $3 million. This steep $4.3 million penalty sent a clear message to healthcare entities: HHS is serious about enforcing individual rights guaranteed by HIPAA.
8 [ Hosting for Healthcare: Addressing the Unique Issues of Health IT & Achieving End-to-End Compliance ] 6 The Risk of a Data Breach The Cignet case is of course an extreme, and the organization knowingly violated patient rights, but what about a data breach? Because PHI records typically contain highly personal data such as a person s name, birthdate, Social Security number, insurance information and medical history, it should come of no surprise that healthcare data theft is the fastest growing criminal enterprise today. In fact, according to a recent study by the Ponemon Institute, 90 percent of all healthcare providers say they have had at least one data breach in the last two years, and 38 percent report more than five incidents in the past year 1. According to a recent study by the Ponemon Institute, 90 percent of all healthcare providers say they have had at least one data breach in the last two years, and 38 percent report more than five incidents. 1 The economic impact of an incident tends to cost an average of $2 million per organization over a two-year period. However, not all data breaches are the result of malicious intent. Rather, the vast majority are the result of unintentional actions of employees or thirdparty vendors. From lost or stolen laptops, to misdirected s and faxes, sensitive information can be exposed at any point in the process. And while the cost of healthcare data breaches has been hard to quantify, the economic impact of an incident tends to cost an average of $2 million per organization over a two-year period. In addition to the actual loss of money, most organizations also suffer from time and productivity loss, brand or reputation diminishment and/or loss of patient goodwill, thus resulting in patient churn. 45 percent of organizations have little or no confidence that they have the ability to identify patient data loss or theft. However, 55 percent of organizations are confident that they have the policies and procedures to effectively prevent or quickly detect unauthorized patient data access, loss or theft. 1
9 [ Hosting for Healthcare: Addressing the Unique Issues of Health IT & Achieving End-to-End Compliance ] 7 Partnering to Achieve End-to-end Compliance Ultimately, the Ponemon Institute study 1 revealed the need to strengthen privacy and security to protect patient data. It can often become overwhelming for a healthcare provider to ensure that all systems and processes meet the criteria for HIPAA and the HITECH Act, and even when the minimum criteria are met, it doesn t necessarily mean that PHI is secure. Whether or not it s known that gaps exist, it s still the responsibility of the covered entity or business associate to ensure PHI is protected and that incident response measures are in place so the organization is adequately prepared to handle data breaches. To assist, the National Institute of Standards and Technology (NIST) provides the conformance tests, tools and resources needed to support and test the implementation of standards-based health systems. However, it s still essential for healthcare providers to partner with established, expert and proven services providers who can ensure their migration, implementation and operations and maintenance fulfill their promises. Key skill-sets and assets include: Professional services that go beyond technical proficiency A healthcare-friendly partner with a proven track-record An ability to work seamlessly with other integrators, as well as plug into existing programs (or frame new ones) with minimal start-up efforts An appropriate infrastructure with true physical isolation, from hardened facilities to data vaults and environmental services A Defense-in-Depth approach that includes physical and logical access and policy controls; an environment that supports not just cloud services, but colocation and managed service requirements; and security that goes beyond regulatory or mandated standards, to industry best-ofclass procedures Multiple facility fail-over provisions that support the organization s plan across regions Continuous monitoring, including operational and security staffing that s 24x7x365, as threats don t keep a schedule Compliance for mandates like HIPAA, FISMA, PCI DSS, and DIACAP, so there s no question of coverage for any application or data environment within that infrastructure Carpathia understands the challenges IT security professionals face in managing risk and securing information. As a trusted cloud operator, we enable our customers to have the confidence that they are able to comply with HIPAA/HITECH obligations. Our industry-leading solutions can allow healthcare customers to experience end-to-end compliance in the hosting environment that best suits their needs. 1
10 [ Hosting for Healthcare: Addressing the Unique Issues of Health IT & Achieving End-to-End Compliance ] 8 Since HIPAA is not a prescriptive set of IT standards, it s very key that the IT service provider working with a healthcare organization selects an established baseline to build policy from. Carpathia has elected to follow many of the same controls and requirements used in federal IT systems (FISMA). These are derived from NIST special publications in the 800 series of documents, which has the additional benefit of systems that meet both FISMA and DIACAP requirements should the organization start delivering services to the government. Our data center footprint includes North America, Europe and Asia, providing comprehensive solutions for networks, servers and storage equipment. Carpathia s 64,000 sq. ft., 7.3 MW IBX Vault data center in Dulles, VA was designed to deliver cloud, managed hosting and colocation solutions for both healthcare and federal agencies. It was built to exceed Tier 3 standards and provides the environment healthcare entities need to keep patient data safe it is among the most connected and secure data centers in the industry. Carpathia has historical precedence in engineering and hosting HIPAA compliant systems for medium and small companies, system integrators, development companies and small A8 business. Customers rely on Carpathia s compliance experience and expertise to ensure their information systems achieve and maintain healthcare compliance mandates throughout the lifecycle of their systems. Our HIPAA-compliant hosting services are built on our trusted private cloud operator platform and are designed to support multiple deployment models, offering flexibility and managed servers that provide scalability. Carpathia is a trusted cloud operator with over a decade of managed hosting experience serving covered entities, including healthcare providers, insurance and health plan clearinghouses and their business associates. Our solutions blend the people, processes and technology required to meet the challenges of health IT. Backed by its E3 Promise, Carpathia consistently delivers an experience that exceeds customers expectations. For more information, please contact us today: sales@carpathia.com Phone: Toll Free: Carpathia is a trusted cloud operator and leading provider of cloud services and managed hosting, providing secure, reliable and compliant IT infrastructure and management for some of the world s most demanding enterprises and federal agencies. Carpathia s cloud platform delivers solutions for every stage of the cloud journey, empowering organizations to meet their unique security and compliance requirements. Carpathia s experienced customer care team and innovative data center facilities provide 24x7 global support to ensure optimum performance and reliability. Backed by its E3 Promise, Carpathia consistently delivers an experience that exceeds expectations. Contact Carpathia at , or visit for more information Atlantic Boulevard Suite 500 Dulles, VA /
Bridging the HIPAA/HITECH Compliance Gap
CyberSheath Healthcare Compliance Paper www.cybersheath.com -65 Bridging the HIPAA/HITECH Compliance Gap Security insights that help covered entities and business associates achieve compliance According
More informationTHE STATE OF HEALTHCARE COMPLIANCE: Keeping up with HIPAA, Advancements in EHR & Additional Regulations
THE STATE OF HEALTHCARE COMPLIANCE: Keeping up with HIPAA, Advancements in EHR & Additional Regulations [ The State of Healthcare Compliance: Keeping up with HIPAA, Advancements in EHR & Additional Regulations
More informationHIPAA Security Rule Compliance
HIPAA Security Rule Compliance Caryn Reiker MAXIS360 HIPAA Security Rule Compliance what is it and why you should be concerned about it Table of Contents About HIPAA... 2 Who Must Comply... 2 The HIPAA
More informationHealth Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)
Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Table of Contents Introduction... 1 1. Administrative Safeguards...
More informationData Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, 2014 2:15pm 3:30pm
Electronic Health Records: Data Security and Integrity of e-phi Worcester, MA Wednesday, 2:15pm 3:30pm Agenda Introduction Learning Objectives Overview of HIPAA HIPAA: Privacy and Security HIPAA: The Security
More informationHIPAA Compliance Guide
HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care
More informationPolicies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification
Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification Type of Policy and Procedure Comments Completed Privacy Policy to Maintain and Update Notice of Privacy Practices
More informationSecurity Is Everyone s Concern:
Security Is Everyone s Concern: What a Practice Needs to Know About ephi Security Mert Gambito Hawaii HIE Compliance and Privacy Officer July 26, 2014 E Komo Mai! This session s presenter is Mert Gambito
More informationHealthcare Compliance Solutions
Privacy Compliance Healthcare Compliance Solutions Trust and privacy are essential for building meaningful human relationships. Let Protected Trust be your Safe Harbor The U.S. Department of Health and
More informationHealthcare Compliance Solutions
Healthcare Compliance Solutions Let Protected Trust be your Safe Harbor In the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH), the U.S. Department of Health and Human
More informationHIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS
HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS Thank you for taking the time to fill out the privacy & security checklist. Once completed, this checklist will help us get a better
More informationHIPAA Compliance: Are you prepared for the new regulatory changes?
HIPAA Compliance: Are you prepared for the new regulatory changes? Baker Tilly CARIS Innovation, Inc. April 30, 2013 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed
More informationHIPAA Security. 1 Security 101 for Covered Entities. Security Topics
HIPAA SERIES Topics 1. 101 for Covered Entities 2. Standards - Administrative Safeguards 3. Standards - Physical Safeguards 4. Standards - Technical Safeguards 5. Standards - Organizational, Policies &
More informationHIPAA and HITECH Compliance for Cloud Applications
What Is HIPAA? The healthcare industry is rapidly moving towards increasing use of electronic information systems - including public and private cloud services - to provide electronic protected health
More informationHIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant
1 HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant Introduction U.S. healthcare laws intended to protect patient information (Protected Health Information or PHI) and the myriad
More informationDatto Compliance 101 1
Datto Compliance 101 1 Overview Overview This document provides a general overview of the Health Insurance Portability and Accounting Act (HIPAA) compliance requirements for Managed Service Providers (MSPs)
More informationHIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics
HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 5. 2. Security Standards - Organizational, Security Policies Standards & Procedures, - Administrative and Documentation Safeguards
More informationIBM Internet Security Systems. The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview
IBM Internet Security Systems The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview Health Insurance Portability and Accountability Act
More informationHIPAA Security Alert
Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information
More informationAppendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice
Appendix 4-2: Administrative, Physical, and Technical Safeguards Breach Notification Rule How Use this Assessment The following sample risk assessment provides you with a series of sample questions help
More informationHIPAA Compliance Guide
HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care
More informationSECURITY RISK ASSESSMENT SUMMARY
Providers Business Name: Providers Business Address: City, State, Zip Acronyms NIST FIPS PHI EPHI BA CE EHR HHS IS National Institute of Standards and Technology Federal Information Process Standards Protected
More informationHIPAA and Mental Health Privacy:
HIPAA and Mental Health Privacy: What Social Workers Need to Know Presenter: Sherri Morgan, JD, MSW Associate Counsel, NASW Legal Defense Fund and Office of Ethics & Professional Review 2010 National Association
More informationHIPAA PRIVACY AND SECURITY FOR EMPLOYERS
HIPAA PRIVACY AND SECURITY FOR EMPLOYERS Agenda Background and Enforcement HIPAA Privacy and Security Rules Breach Notification Rules HPID Number Why Does it Matter HIPAA History HIPAA Title II Administrative
More informationHIPAA Information Security Overview
HIPAA Information Security Overview Security Overview HIPAA Security Regulations establish safeguards for protected health information (PHI) in electronic format. The security rules apply to PHI that is
More informationHeather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com
Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com HIPAA Privacy Rule Sets standards for confidentiality and privacy of individually
More informationNew privacy and security requirements increase potential legal liability and jeopardize brand reputation.
New privacy and security requirements increase potential legal liability and jeopardize brand reputation. Protect personal health information in motion, in use and at rest with HP access, authentication,
More informationUnified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES
Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES HIPAA COMPLIANCE Achieving HIPAA Compliance with Security Professional Services The Health Insurance
More informationPRIVACY POLICIES AND FORMS FOR BUSINESS ASSOCIATES
PRIVACY POLICIES AND FORMS FOR BUSINESS ASSOCIATES TABLE OF CONTENTS A. Overview of HIPAA Compliance Program B. General Policies 1. Glossary of Defined Terms Used in HIPAA Policies and Procedures 2. Privacy
More informationSecuring the FOSS VistA Stack HIPAA Baseline Discussion. Jack L. Shaffer, Jr. Chief Operations Officer
Securing the FOSS VistA Stack HIPAA Baseline Discussion Jack L. Shaffer, Jr. Chief Operations Officer HIPAA as Baseline of security: To secure any stack which contains ephi (electonic Protected Health
More informationVMware vcloud Air HIPAA Matrix
goes to great lengths to ensure the security and availability of vcloud Air services. In this effort VMware has completed an independent third party examination of vcloud Air against applicable regulatory
More informationHIPAA Audits: How to Be Prepared. Lindsey Wiley, MHA, CHTS-IM, CHTS-TS HIT Manager Oklahoma Foundation for Medical Quality
HIPAA Audits: How to Be Prepared Lindsey Wiley, MHA, CHTS-IM, CHTS-TS HIT Manager Oklahoma Foundation for Medical Quality An Important Reminder For audio, you must use your phone: Step 1: Call (866) 906-0123.
More informationPrivacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by:
HIPAA Privacy Officer Orientation Presented by: Cathy Montgomery, RN Privacy Officer Job Description Serve as leader Develop Policies and Procedures Train staff Monitor activities Manage Business Associates
More informationHIPAA Security Checklist
HIPAA Security Checklist The following checklist summarizes HIPAA Security Rule requirements that should be implemented by covered entities and business associates. The citations are to 45 CFR 164.300
More information2011 2012 Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec.
The OCR Auditors are coming - Are you next? What to Expect and How to Prepare On June 10, 2011, the U.S. Department of Health and Human Services Office for Civil Rights ( OCR ) awarded KPMG a $9.2 million
More informationHIPAA Security. 5 Security Standards: Organizational, Policies. Security Topics. and Procedures and Documentation Requirements
HIPAA Security S E R I E S Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical
More informationNationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011
Nationwide Review of CMS s HIPAA Oversight Brian C. Johnson, CPA, CISA Wednesday, January 19, 2011 1 WHAT I DO Manage Region IV IT Audit and Advance Audit Technique Staff (AATS) IT Audit consists of 8
More informationHIPAA Security Policies & Procedures (HITECH updated)
Why Create HIPAA Security Policies and Procedures? The final HIPAA Security rule published on February 20, 2003 requires that healthcare organizations create HIPAA Security policies and procedures to apply
More informationHIPAA Audit Processes HIPAA Audit Processes. Erik Hafkey Rainer Waedlich
HIPAA Audit Processes Erik Hafkey Rainer Waedlich 1 Policies for all HIPAA relevant Requirements and Regulations Checklist for an internal Audit Process Documentation of the compliance as Preparation for
More informationHIPAA/HITECH: A Guide for IT Service Providers
HIPAA/HITECH: A Guide for IT Service Providers Much like Arthur Dent in the opening scene of The Hitchhiker s Guide to the Galaxy (HHGTTG), you re experiencing the impact of new legislation that s infringing
More informationHIPAA Security Series
7 Security Standards: Implementation for the Small Provider What is the Security Series? The security series of papers provides guidance from the Centers for Medicare & Medicaid Services (CMS) on the rule
More informationHIPAA Security COMPLIANCE Checklist For Employers
Compliance HIPAA Security COMPLIANCE Checklist For Employers All of the following steps must be completed by April 20, 2006 (April 14, 2005 for Large Health Plans) Broadly speaking, there are three major
More informationWhy Lawyers? Why Now?
TODAY S PRESENTERS Why Lawyers? Why Now? New HIPAA regulations go into effect September 23, 2013 Expands HIPAA safeguarding and breach liabilities for business associates (BAs) Lawyer is considered a business
More informationHIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE
HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE How to Use this Assessment The following risk assessment provides you with a series of questions to help you prioritize the development and implementation
More informationHIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics
HIPAA Security S E R I E S Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical
More informationHow To Write A Health Care Security Rule For A University
INTRODUCTION HIPAA Security Rule Safeguards Recommended Standards Developed by: USF HIPAA Security Team May 12, 2005 The Health Insurance Portability and Accountability Act (HIPAA) Security Rule, as a
More informationSAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION
SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION Please Note: 1. THIS IS NOT A ONE-SIZE-FITS-ALL OR A FILL-IN-THE BLANK COMPLIANCE PROGRAM.
More informationOverview of the HIPAA Security Rule
Office of the Secretary Office for Civil Rights () Overview of the HIPAA Security Rule Office for Civil Rights Region IX Alicia Cornish, EOS Sheila Fischer, Supervisory EOS Topics Upon completion of this
More informationImplementing Electronic Medical Records (EMR): Mitigate Security Risks and Create Peace of Mind
Page1 Implementing Electronic Medical Records (EMR): Mitigate Security Risks and Create Peace of Mind The use of electronic medical records (EMRs) to maintain patient information is encouraged today and
More informationThe HIPAA Security Rule Primer A Guide For Mental Health Practitioners
The HIPAA Security Rule Primer A Guide For Mental Health Practitioners Distributed by NASW Printer-friendly PDF 2006 APAPO 1 Contents Click on any title below to jump to that page. 1 What is HIPAA? 3 2
More informationHuseman Health Law Group 3733 University Blvd. West, Suite 305-A Jacksonville, Florida 32217 Telephone (904) 448-5552 Facsimile (904) 448-5653
Huseman Health Law Group 3733 University Blvd. West, Suite 305-A Jacksonville, Florida 32217 Telephone (904) 448-5552 Facsimile (904) 448-5653 rusty@husemanhealthlaw.com use e Health care law firm fighting
More informationBEST PRACTICES FOR COMMERCIAL COMPLIANCE
BEST PRACTICES FOR COMMERCIAL COMPLIANCE [ BEST PRACTICES FOR COMMERCIAL COMPLIANCE ] 2 Contents OVERVIEW... 3 Health Insurance Portability and Accountability Act (HIPAA) of 1996... 4 Sarbanes-Oxley Act
More informationSecurity Compliance, Vendor Questions, a Word on Encryption
Security Compliance, Vendor Questions, a Word on Encryption Alexis Parsons, RHIT, CPC, MA Director, Health Information Services Security/Privacy Officer Shasta Community Health Center aparsons@shastahealth.org
More informationUnderstanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions
Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions Table of Contents Understanding HIPAA Privacy and Security... 1 What
More informationWhen HHS Calls, Will Your Plan Be HIPAA Compliant?
When HHS Calls, Will Your Plan Be HIPAA Compliant? Petula Workman, J.D., CEBS Division Vice President Compliance Counsel Gallagher Benefit Services, Inc., Sugar Land, Texas The opinions expressed in this
More informationHIPAA Compliance The Time is Now Changes on the Horizon: The Final Regulations on Privacy and Security. May 7, 2013
HIPAA Compliance The Time is Now Changes on the Horizon: The Final Regulations on Privacy and Security May 7, 2013 Presenters James Clay President Employee Benefits & HR Consulting The Miller Group jimc@millercares.com
More informationHIPAA Security. assistance with implementation of the. security standards. This series aims to
HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical
More informationHIPAA Security. Jeanne Smythe, UNC-CH Jack McCoy, ECU Chad Bebout, UNC-CH Doug Brown, UNC-CH
HIPAA Security Jeanne Smythe, UNC-CH Jack McCoy, ECU Chad Bebout, UNC-CH Doug Brown, UNC-CH What is this? Federal Regulations August 21, 1996 HIPAA Became Law October 16, 2003 Transaction Codes and Identifiers
More informationThe HIPAA Security Rule Primer Compliance Date: April 20, 2005
AMERICAN PSYCHOLOGICAL ASSOCIATION PRACTICE ORGANIZATION Practice Working for You The HIPAA Security Rule Primer Compliance Date: April 20, 2005 Printer-friendly PDF 1 Contents Click on any title below
More informationPolicies and Compliance Guide
Brooklyn Community Services Policies and Compliance Guide relating to the HIPAA Security Rule June 2013 Table of Contents INTRODUCTION... 3 GUIDE TO BCS COMPLIANCE WITH THE HIPAA SECURITY REGULATION...
More information12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule
HIPAA More Important Than You Realize J. Ira Bedenbaugh Consulting Shareholder February 20, 2015 This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record
More informationNine Network Considerations in the New HIPAA Landscape
Guide Nine Network Considerations in the New HIPAA Landscape The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Omnibus Final Rule, released January 2013, introduced some significant
More informationPrivacy and Security Meaningful Use Requirement HIPAA Readiness Review
Privacy and Security Meaningful Use Requirement HIPAA Readiness Review REACH - Achieving - Achieving meaningful meaningful use of your use EHR of your EHR Patti Kritzberger, RHIT, CHPS ND e-health Summit
More informationCan Your Diocese Afford to Fail a HIPAA Audit?
Can Your Diocese Afford to Fail a HIPAA Audit? PETULA WORKMAN & PHIL BUSHNELL MAY 2016 2016 ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS Agenda Overview Privacy Security Breach Notification Miscellaneous
More informationCOMPLIANCE ALERT 10-12
HAWAII HEALTH SYSTEMS C O R P O R A T I O N "Touching Lives Every Day COMPLIANCE ALERT 10-12 HIPAA Expansion under the American Recovery and Reinvestment Act of 2009 The American Recovery and Reinvestment
More informationHIPAA 101. March 18, 2015 Webinar
HIPAA 101 March 18, 2015 Webinar Agenda Acronyms to Know HIPAA Basics What is HIPAA and to whom does it apply? What is protected by HIPAA? Privacy Rule Security Rule HITECH Basics Breaches and Responses
More informationC.T. Hellmuth & Associates, Inc.
Technical Monograph C.T. Hellmuth & Associates, Inc. Technical Monographs usually are limited to only one subject which is treated in considerably more depth than is possible in our Executive Newsletter.
More informationTrust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits
HIPAA Breaches, Security Risk Analysis, and Audits Derrick Hill Senior Health IT Advisor Kentucky REC Why Does Privacy and Security Matter? Trust Who Must Comply with HIPAA Rules? Covered Entities (CE)
More informationHIPAA Security Matrix
HIPAA Matrix Hardware : 164.308(a)(1) Management Process =Required, =Addressable Risk Analysis The Covered Entity (CE) can store its Risk Analysis document encrypted and offsite using EVault managed software
More informationHIPAA PRIVACY AND SECURITY AWARENESS
HIPAA PRIVACY AND SECURITY AWARENESS Introduction The Health Insurance Portability and Accountability Act (known as HIPAA) was enacted by Congress in 1996. HIPAA serves three main purposes: To protect
More informationJoseph Suchocki HIPAA Compliance 2015
Joseph Suchocki HIPAA Compliance 2015 Sponsored by Eagle Associates, Inc. Eagle Associates provides compliance services for over 1,200 practices nation wide. Services provided by Eagle Associates address
More informationHIPAA Security Risk Analysis for Meaningful Use
HIPAA Security Risk Analysis for Meaningful Use NOTE: Make sure your computer speakers are turned ON. Audio will be streaming through your speakers. If you do not have computer speakers, call the ACCMA
More informationMeaningful Use and Security Risk Analysis
Meaningful Use and Security Risk Analysis Meeting the Measure Security in Transition Executive Summary Is your organization adopting Meaningful Use, either to gain incentive payouts or to avoid penalties?
More informationUNIVERSITY OF CALIFORNIA, SANTA CRUZ 2015 HIPAA Security Rule Compliance Workbook
Introduction Per UCSC's HIPAA Security Rule Compliance Policy 1, all UCSC entities subject to the HIPAA Security Rule ( HIPAA entities ) must implement the UCSC Practices for HIPAA Security Rule Compliance
More informationHIPAA HANDBOOK. Keeping your backup HIPAA-compliant
The federal Health Insurance Portability and Accountability Act (HIPAA) spells out strict regulations for protecting health information. HIPAA is expansive and can be a challenge to navigate. Use this
More informationHIPAA Compliance and the Protection of Patient Health Information
HIPAA Compliance and the Protection of Patient Health Information WHITE PAPER By Swift Systems Inc. April 2015 Swift Systems Inc. 7340 Executive Way, Ste M Frederick MD 21704 1 Contents HIPAA Compliance
More information2/9/2012. 2012 HIPAA Privacy and Security Audit Readiness. Table of contents
2012 HIPAA Privacy and Security Audit Readiness Mark M. Johnson National HIPAA Services Director Table of contents Page Background 2 Regulatory Background and HITECH Impacts 3 Office of Civil Rights (OCR)
More informationM E M O R A N D U M. Definitions
M E M O R A N D U M DATE: November 10, 2011 TO: FROM: RE: Krevolin & Horst, LLC HIPAA Obligations of Business Associates In connection with the launch of your hosted application service focused on practice
More informationPreparing for the HIPAA Security Rule Again; now, with Teeth from the HITECH Act!
A White Paper for Health Care Professionals Preparing for the HIPAA Security Rule Again; now, with Teeth from the HITECH Act! Introduction Several years ago we first published A White Paper for Health
More informationAn Oracle White Paper December 2010. Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance
An Oracle White Paper December 2010 Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance Executive Overview... 1 Health Information Portability and Accountability Act Security
More informationWhat is HIPAA? The Health Insurance Portability and Accountability Act of 1996
What is HIPAA? The Health Insurance Portability and Accountability Act of 1996 BASIC QUESTIONS AND ANSWERS What Does HIPAA do? Creates national standards to protect individuals' medical records and other
More informationPlease Read. Apgar & Associates, LLC apgarandassoc.com P. O. Box 80278 Portland, OR 97280 503-384-2538 877-376-1981 503-384-2539 Fax
Please Read This business associate audit questionnaire is part of Apgar & Associates, LLC s healthcare compliance resources, Copyright 2014. This questionnaire should be viewed as a tool to aid in evaluating
More informationWHITEPAPER. Evolve your network strategy to meet new threats and achieve expanded business imperatives. Introduction... 1 The HIPAA Security Rule...
WHITEPAPER HIPAA Requirements Addressed By Bradford s Network Sentry Family Evolve your network strategy to meet new threats and achieve expanded business imperatives Introduction.... 1 The HIPAA Security
More informationHIPAA COMPLIANCE PLAN FOR 2013
HIPAA COMPLIANCE PLAN FOR 2013 Welcome! Presentor is Rebecca Morehead, Practice Manager Strategist www.practicemanagersolutions.com Meaningful Use? As a way to encourage hospitals and providers to adopt
More informationOCR/HHS HIPAA/HITECH Audit Preparation
OCR/HHS HIPAA/HITECH Audit Preparation 1 Who are we EHR 2.0 Mission: To assist healthcare organizations develop and implement practices to secure IT systems and comply with HIPAA/HITECH regulations. Education
More informationSUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This
More informationA Technical Template for HIPAA Security Compliance
A Technical Template for HIPAA Security Compliance Peter J. Haigh, FHIMSS peter.haigh@verizon.com Thomas Welch, CISSP, CPP twelch@sendsecure.com Reproduction of this material is permitted, with attribution,
More informationIsaac Willett April 5, 2011
Current Options for EHR Implementation: Cloud or No Cloud? Regina Sharrow Isaac Willett April 5, 2011 Introduction Health Information Technology for Economic and Clinical Health Act ( HITECH (HITECH Act
More informationWhat Virginia s Free Clinics Need to Know About HIPAA and HITECH
What Virginia s Free Clinics Need to Know About HIPAA and HITECH This document is one in a series of tools and white papers produced by the Virginia Health Care Foundation to help Virginia s free clinics
More informationHIPAA SECURITY AND POLICIES AND PROCEDURES. By: Michele Cuper THESIS FOR MASTERS DEGREE INFORMATION ASSURANCE CAPS 795 DAVENPORT UNIVERSITY
HIPAA SECURITY AND POLICIES AND PROCEDURES 1 HIPAA SECURITY AND POLICIES AND PROCEDURES By: Michele Cuper THESIS FOR MASTERS DEGREE INFORMATION ASSURANCE CAPS 795 DAVENPORT UNIVERSITY PRESENTED TO: DR.
More informationHITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?
HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What? Introduction This material is designed to answer some of the commonly asked questions by business associates and other organizations
More informationHIPAA Compliance Review Analysis and Summary of Results
HIPAA Compliance Review Analysis and Summary of Results Centers for Medicare & Medicaid Services (CMS) Office of E-Health Standards and Services (OESS) Reviews 2008 Table of Contents Introduction 1 Risk
More informationThe Impact of HIPAA and HITECH
The Health Insurance Portability & Accountability Act (HIPAA), enacted 8/21/96, was created to protect the use, storage and transmission of patients healthcare information. This protects all forms of patients
More informationAchieving HIPAA and HITECH Compliance. with Enterprise Single Sign-On
Achieving HIPAA and HITECH Compliance with Enterprise Single Sign-On Achieving HIPAA and HITECH Compliance with Enterprise Single Sign-On 1 TABLE OF CONTENTS The Challenges of HIPAA and HITECH Compliance
More informationHIPAA: Protecting Your. Ericka L. Adler. Practice and Your Patients
HIPAA: Protecting Your Ericka L. Adler Practice and Your Patients Rachel V. Rose Fallout from the Omnibus Rule Compliance strategies for medical practices 1. Know / manage your business associates and
More informationLessons Learned from HIPAA Audits
Lessons Learned from HIPAA Audits October 29, 2012 Tony Brooks, CISA, CRISC Partner - IT Assurance and Risk Services HORNE LLP AGENDA HIPAA/HITECH Regulations Breaches and Fines OCR HIPAA/HITECH Compliance
More informationHealth Information Privacy Refresher Training. March 2013
Health Information Privacy Refresher Training March 2013 1 Disclosure There are no significant or relevant financial relationships to disclose. 2 Topics for Today State health information privacy law Federal
More informationWHITEPAPER XMEDIUSFAX CLOUD FOR HEALTHCARE AND HIPAA COMPLIANCE
WHITEPAPER XMEDIUSFAX CLOUD FOR HEALTHCARE AND HIPAA COMPLIANCE INTRODUCTION The healthcare industry is driven by many specialized documents. Each day, volumes of critical information are sent to and from
More informationHealthcare Insurance Portability & Accountability Act (HIPAA)
O C T O B E R 2 0 1 3 Healthcare Insurance Portability & Accountability Act (HIPAA) Secure Messaging White Paper This white paper briefly details how HIPAA affects email security for healthcare organizations,
More information