HIPAA RISK ASSESSMENT
|
|
- Dinah Moody
- 8 years ago
- Views:
Transcription
1 HIPAA RISK ASSESSMENT PRACTICE INFORMATION (FILL OUT ONE OF THESE FORMS FOR EACH LOCATION) Practice Name: Address: City, State, Zip: Phone: We anticipate that your Meaningful Use training and implementation will take approximately 30 days. Most of your training will be done by attending courses at SammyUniversity.com. If, after you attend Sammy University you feel that you need additional on-on-one training, we will certainly make ourselves available to help you! Register for Meaningful Use ASAP! SammyEHR s CMS EHR Certification ID is SVAKEAS. HIPAA Compliance ICS has made me aware of the HIPAA security requirements. I decline ICS offer to assist me in becoming HIPAA compliant. Please assist me in becoming HIPAA compliant. I have completed the attached questionnaire. I will send it back to ICS completed to the best of my ability including payment ($399 for 1 office, $199 for each additional) Please make check payable and remit to: ICS Software, Ltd., 3720 Oceanside Road West, Oceanside, NY If paying by credit card, please include your information below: MasterCard Visa Amex Discover Card Number: Expiration: / Signature: Please send this form back to ICS via fax ( ), (support@icssoftware.net) or mail.
2 As part of the requirement for meaningful use the practice is required to perform a risk assessment. The types of risks that need to be addressed include Physical, Administrative and Technical Risks. This document is the risk assessment. If you do not understand what is being asked for in any given location, please leave it blank. PHYSICAL RISKS Loss of Power Loss of Power not only results in the inaccessibility of data on practice computer systems, but improper shutdown of computer systems due to power outages can result in damage not only to hardware but to loss of the data on those computer systems. An assessment of the possibility of loss of power and implementation of measures to mitigate potential damage by this event is necessary. 1. How many times in the past year have you lost power? 2. Do you have a Backup Generator? Yes No 3. Do you have UPS (Battery Backup) on all critical technology devices? Yes No Critical devices can include computers, networking equipment, and phone systems. Your server would be a critical computer, NOT all workstations are critical devices, but at least one should have a UPS installed. 4. Do you have phones that can plug directly into the wall and do not require a power source? Loss of Internet Connectivity Use of the internet is required for connection to Health Information Exchanges, remote offices, and other data sources. This connectivity may be necessary to insure that the patient data is available. The more data that is located off premises, the greater impact a loss of connectivity will be to your practice. The needs of the practice for connectivity, will determine the severity of a loss of connectivity and the steps required to mitigate a loss of connectivity. 1. How many times in the past two years have you lost internet connectivity? 2. How many of these were accompanied by a loss of electricity? 3. Do you have multiple connections from multiple internet carriers? Yes No 4. Do you have a wireless internet connection such as a laptop edge card in case of a service outage? Yes No 5. Is your database located at this location or is it offsite location? This location Offsite 6. Do satellite offices need to be able to connect to this location? 7. If your data is offsite it is located: In your other office In your computer at a data center In the cloud at an ASP
3 Other (please specify) Loss of Premises due to Fire In addition to the risks that fire poses to computer systems, fire poses a significant risk to the health and safety of the practice patients and workforce. The primary goal of a fire risk assessment and risk mitigation is to insure the safety of the people who are at the premises. With proper implementation of fire protection, it is possible to minimize damage to computer systems due to fire. In case of damage due to fire or other disaster, it may be necessary to implement the practice disaster recovery plan which is addressed in the HIPAA Security Manual. 1. Do you have fire extinguishers? Yes No Please mark the locations of all fire extinguishers on your practice floor plan. 2. Do you have sprinklers at your location? Yes No Please mark the locations of sprinklers on your practice floor plan. 3. Do you have smoke detectors? Yes No Please mark the locations of all smoke detectors on your floor plan. 4. Do you have fire alarms? Yes No Please mark the locations of all fire alarms on your floor plan. 5. Do you have central station monitoring for fires? Yes No Please mark the location of all fire extinguishers on your floor plan. Loss due to Theft Theft of computer systems and data represents a significant risk to the practice. Theft of computer systems or of data is a major HIPAA violation. There are multiple methods of theft, including theft of data and theft of physical computers and media. Here we will discuss risks posed by theft of physical devices. 1. Do you have an anti-theft system such as a burglar alarm? Yes No 2. Do you have central station monitoring? Yes No 3. Who is alerted if the alarm is triggered? 4. Is there video surveillance and recording of the premises? Yes No 5. Do you have motion detectors? Yes No 6. Are all external windows alarmed? Yes No a. If not, please describe why not: 7. Are all external doors alarmed? Yes No a. If not, please describe why not:
4 8. Are any internal windows or doors alarmed? Yes No Please mark location of all alarmed access points on your office floor plans. 9. Are you tracking who has access to the premises using keys / keypad access? Yes No 10. Are all computers in secure areas? Yes No Please mark the location of each computer on your floor plan. Indicate which rooms that store computers have locks installed. COMPUTER INVENTORY FORM List all computers, devices and media containing e-phi on the inventory sheet. Include details on who is responsible for mobile devices and media. Please give each device an ID. This ID will be utilized when documenting all of your installed software. Be sure to list the Make, Model and Serial Number of each device, and additionally the operating system and antivirus software (if any) on each computer or mobile device. Digital Printers and Copiers often have hard drives. If you have digital imaging devices such as printers, copiers, or scanners that contain hard drives you must have an inventory form for each of those devices. Please fill out one form for each workstation, laptop, server and PDA used in your practice. Please photocopy that form and keep a blank one available, you will need to add a Computer Inventory Form to your HIPAA manual each time you buy a new computer. Computer Name (please name each computer) Computer Make (eg Dell, HP etc) Computer Model How Many Hard Drives are in the Computer Are any of the Drives Encrypted Please provide details Operating System (Be Specific eg Windows XP Professional) Location of Computer (Front Desk, Treatment Room 1, Mobliel Kiosk) What Antivirus Software is installed? Is the computer connected to a Battery Backup? If yes please list make and model of Battery Backup If this is a mobile device who is responsible for this computer?
5 Media Destruction Documentation Hard Drive Make / Model Date Destroyed Replaced with Hard Drive Make / Model Date Destroyed Replaced with Hard Drive Make / Model Date Destroyed Replaced with Hard Drive Make / Model Date Destroyed Replaced with Hard Drive Make / Model Date Destroyed Replaced with You will notice a section titled Media Destruction Documentation on each of the Computer Inventory Forms. Each of these inventory forms will become part of your HIPAA manual and you need to track all media that your practice uses to store E-PHI. When media is retired the data on the media needs to be irreversible destroyed. This can be accomplished by using software that wipes the media, or by physically destroying the disks. Please describe the methods you use to irreversibly destroy all E-PHI from your retired media. You need to be specific. If you do not have a method we recommend utilizing Iron Mountain which provides hard disk shredding purposes.
6 OTHER PHYSICAL DAMAGE If your office is at risk of damage due to factors not addressed earlier in this questionnaire please detail those risks here. Risks could include but are not limited to Floods, Hurricanes, Earthquakes, or other natural disasters. In case of a disaster you may need to reinstall all programs, including operating systems. The installation disks should be stored at a location that is offsite. Where do you store your installation disks?
7 BACKUP AND RESTORATION In the event of a loss of equipment and or data, it is important to be able to access critical patient data. This is accomplished by having data backups, contingency plans, and disaster recovery plans all of which are addressed in your HIPAA Security Manual. In order for these plans to function certain steps need to be taken on a regular basis to insure the integrity and availability of data. 1. Do you backup data to local media? Yes No 2. If yes what type of media is utilized? 3. Is the media stored off site? Yes No 4. Do you have a fireproof safe at your practice location? Yes No 5. Do you have a fireproof safe at an offsite location? Yes No 6. How often to you back up your data? 7. How often do you test your backups? 8. How many days of backup to you retain locally? 9. Do you utilize remote backup services? Yes No 10. How often do you back up data remotely? Yes No 11. What type of media is utilized? 12. How often to you test your remote backup? 13. How many days of backup to you retain remotely? 14. What offsite backup company do you use? Please attach a copy of the BAA with your offsite backup service to your HIPAA manual. 15. Do you have copies of all installation disks? Yes No 16. Where are these disks stored? 17. How do you test your backup?
8 VENDORS SUPPLIERS, CONSULTANTS AND SUPPORT In the case of a disaster you will need the assistance of your hardware vendors, software vendors, and consultants. The details of disaster recovery are listed in your HIPAA Security Manual. Please list your vendors and consultants in this section. Include information on the Operating Systems and Anti-Virus Software. If you have multiple copies of software installed on multiple computers, please fill out information for each instance separately. Attach additional pages as necessary. Hardware Vendor: Contact Name: Phone Number(s) : address: Hardware Vendor: Contact Name: Phone Number(s) : address: Hardware Vendor: Contact Name: Phone Number(s) : address:
9 SOFTWARE VENDORS COMPLETE FOR EACH SOFTWARE VENDOR Software Vendor: Software Product and Version: Software License Information: Contact Name: Phone Number(s): address: 1. Does the software support encryption? Yes No 2. What type of encryption is implemented? 3. Does the software support auditing of use and access? Yes No 4. Does the software require a login? Yes No If the software requires a login: a. Does the software support or require strong passwords? Yes No b. Is this implemented? Yes No c. Does the software support or require regular password changes? Yes No d. Is this implemented and how often are passwords required to be changed? Yes No 5. Are automatic updates available with this software product? Yes No 6. Are automatic updates enabled? Yes No 7. If the automatic updates require annual renewal, when does the current update license expire?
10 TECHNICAL MEASURES Technical measures need to be implemented to insure security of your computer network. These technical measures are detailed in the HIPAA Security Manual. In order to properly answer these questions, you will probably need the assistance of your hardware and software vendors. 1. Do you have auditing software installed on your computer network? Yes No 2. What Auditing Software is utilized? 3. How often are the Audit Logs reviewed? 4. Is there an intrusion detection system installed on your computer network? Yes No 5. Does the computer network support a Login Threshold? Yes No 6. What is that threshold? 7. What happens if that threshold is exceeded? 8. Does the computer network support strong Passwords? Yes No 9. Is that implemented? Yes No 10. Please describe the password policy that is implemented on the computer. NETWORK SECURITY 1. Do you have a wireless network? Yes No 2. What type of firewall is installed (Make and Model)? 3. What type of router is installed (Make and Model)? Note that your Wireless Access Point and your router are often the same device. Please answer the following questions for each of your Wireless Access Points: Make and Model: Is MAC address security enabled? Yes No What type of wireless security is enabled? None WEP WPA WPA2/Personal WPA2/Enterprise Other please specify:
11 AUDITING SOFTWARE If your computer has any auditing software installed or your EMR software has built in Auditing please describe it here. STAFF ROSTER As part of the HIPAA security policies each staff member needs to receive annual HIPAA training and receive regular HIPAA reminders. We provide regular HIPAA training to your staff via webinars and regular updates via . We therefore require a separate valid address for each of your staff members. As part of the workforce authorization process it may be appropriate to perform background check on your employees. Staff Member name Address If you have done background checks, they should be attached to and made part of your HIPAA manual. Your HIPAA manual will have blank pages for each staff member (photocopy as needed) which should be filled out for each existing employee and each new employee. They contain information that needs to be filled out when each employee leaves your practice.
12 ASSIGNED RESPONSIBILITY HIPAA requires that you assign staff members to various security / privacy posts within your practice please let us know who is: Practice Security Officer: This is the person responsible for implementing all of the security provisions detailed in this HIPAA manual, testing of the security procedures and making necessary changes to your manual should they be required. This person will be in charge of your Security Incident Response Team in case of a HIPAA breach Practice Privacy Officer: This is the person responsible for communicating with your patients should they have any questions or issues regarding HIPAA privacy in your office. In case of a breach they will work with the Security Officer and be on the Security Incident Response Team to mitigate any breaches. Practice Compliance Officer: This is the person who is responsible for monitoring the employees of your practice to insure that they are following your HIPAA policy, and this person will be responsible for insuring that the logs in the HIPAA manual are updated as appropriate. BUSINESS ASSOCIATE AGREEMENTS Provide a list of all companies having access to any patient information for any purpose and any individuals who have remote access. This includes orthotic labs if you put patient names on the orthotic Rx, but not doctors to whom you send and from whom your receive referrals. Ex: Accountants, practice consultants, transcription services, billing companies, etc. Do NOT list employees of your practice. Please attach copies of the Business Associate Agreements with each of the entries above.
13 FLOOR PLAN Please draw a floor plan of your practice. Each of the following must be marked: Doors Windows Computers Fire Theft If the door has a lock please indicate If the door is alarmed please indicate If the window has a lock please indicate If the window is alarmed please indicate Mark where each computer is located Please name each computer (see inventory sheet) Please mark locations of Fire Detectors and Fire Extinguishers Please mark location of motion detectors, video cameras and keypads Attach your floor plan to this questionnaire.
14 REMOTE ACCESS Does anybody access your practice computers remotely? Yes No Please describe the security that has been implemented for each remote user.
Contents. Instructions for Using Online HIPAA Security Plan Generation Tool
Instructions for Using Online HIPAA Security Plan Generation Tool Contents Step 1 Set Up Account... 2 Step 2 : Fill out the main section of the practice information section of the web site.... 3 The next
More informationHIPAA Privacy and Security Risk Assessment and Action Planning
HIPAA Privacy and Security Risk Assessment and Action Planning Practice Name: Participants: Date: MU Stage: EHR Vendor: Access Control Unique ID and PW for Users (TVS016) Role Based Access (TVS023) Account
More informationHIPAA Security Alert
Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information
More informationClient Security Risk Assessment Questionnaire
Select the appropriate answer from the drop down in the column, and provide a brief description in the section. 1 Do you have a member of your organization with dedicated information security duties? 2
More informationHIPAA Security. assistance with implementation of the. security standards. This series aims to
HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical
More informationPlease Read. Apgar & Associates, LLC apgarandassoc.com P. O. Box 80278 Portland, OR 97280 503-384-2538 877-376-1981 503-384-2539 Fax
Please Read This business associate audit questionnaire is part of Apgar & Associates, LLC s healthcare compliance resources, Copyright 2014. This questionnaire should be viewed as a tool to aid in evaluating
More informationThe second section of the HIPAA Security Rule is related to physical safeguards. Physical safeguards are physical measures, policies and procedures
The second section of the HIPAA Security Rule is related to physical safeguards. Physical safeguards are physical measures, policies and procedures to protect and secure a covered entity s electronic information
More informationHow To Write A Health Care Security Rule For A University
INTRODUCTION HIPAA Security Rule Safeguards Recommended Standards Developed by: USF HIPAA Security Team May 12, 2005 The Health Insurance Portability and Accountability Act (HIPAA) Security Rule, as a
More informationSmall Business IT Risk Assessment
Small Business IT Risk Assessment Company name: Completed by: Date: Where Do I Begin? A risk assessment is an important step in protecting your customers, employees, and your business, and well as complying
More informationHIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE
HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE How to Use this Assessment The following risk assessment provides you with a series of questions to help you prioritize the development and implementation
More informationSupplier Security Assessment Questionnaire
HALKYN CONSULTING LTD Supplier Security Assessment Questionnaire Security Self-Assessment and Reporting This questionnaire is provided to assist organisations in conducting supplier security assessments.
More informationHIPAA Privacy & Security White Paper
HIPAA Privacy & Security White Paper Sabrina Patel, JD +1.718.683.6577 sabrina@captureproof.com Compliance TABLE OF CONTENTS Overview 2 Security Frameworks & Standards 3 Key Security & Privacy Elements
More informationAppendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice
Appendix 4-2: Administrative, Physical, and Technical Safeguards Breach Notification Rule How Use this Assessment The following sample risk assessment provides you with a series of sample questions help
More informationVMware vcloud Air HIPAA Matrix
goes to great lengths to ensure the security and availability of vcloud Air services. In this effort VMware has completed an independent third party examination of vcloud Air against applicable regulatory
More informationHIPAA Security COMPLIANCE Checklist For Employers
Compliance HIPAA Security COMPLIANCE Checklist For Employers All of the following steps must be completed by April 20, 2006 (April 14, 2005 for Large Health Plans) Broadly speaking, there are three major
More informationHIPAA ephi Security Guidance for Researchers
What is ephi? ephi stands for Electronic Protected Health Information (PHI). It is any PHI that is stored, accessed, transmitted or received electronically. 1 PHI under HIPAA means any information that
More informationHIPAA Compliance Guide
HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care
More informationINCIDENT RESPONSE CHECKLIST
INCIDENT RESPONSE CHECKLIST The purpose of this checklist is to provide clients of Kivu Consulting, Inc. with guidance in the initial stages of an actual or possible data breach. Clients are encouraged
More informationHIPAA Information Security Overview
HIPAA Information Security Overview Security Overview HIPAA Security Regulations establish safeguards for protected health information (PHI) in electronic format. The security rules apply to PHI that is
More informationIT - General Controls Questionnaire
IT - General Controls Questionnaire Internal Control Questionnaire Question Yes No N/A Remarks G1. ACCESS CONTROLS Access controls are comprised of those policies and procedures that are designed to allow
More informationHIPAA Security. Jeanne Smythe, UNC-CH Jack McCoy, ECU Chad Bebout, UNC-CH Doug Brown, UNC-CH
HIPAA Security Jeanne Smythe, UNC-CH Jack McCoy, ECU Chad Bebout, UNC-CH Doug Brown, UNC-CH What is this? Federal Regulations August 21, 1996 HIPAA Became Law October 16, 2003 Transaction Codes and Identifiers
More informationHIPAA Audit Processes HIPAA Audit Processes. Erik Hafkey Rainer Waedlich
HIPAA Audit Processes Erik Hafkey Rainer Waedlich 1 Policies for all HIPAA relevant Requirements and Regulations Checklist for an internal Audit Process Documentation of the compliance as Preparation for
More informationRetention & Destruction
Last Updated: March 28, 2014 This document sets forth the security policies and procedures for WealthEngine, Inc. ( WealthEngine or the Company ). A. Retention & Destruction Retention & Destruction of
More informationHIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS
HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS Thank you for taking the time to fill out the privacy & security checklist. Once completed, this checklist will help us get a better
More informationHIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant
1 HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant Introduction U.S. healthcare laws intended to protect patient information (Protected Health Information or PHI) and the myriad
More informationGENERAL APPLICATION FOR ELECTRONIC COMMUNICATION SYSTEM ( ECS ) INSURANCE
GENERAL APPLICATION FOR ELECTRONIC COMMUNICATION SYSTEM ( ECS ) INSURANCE (CLAIMS MADE BASIS) APPLICANT S INSTRUCTIONS: 1. Answer all questions. If the answer requires detail, please attach a separate
More informationHIPAA Risk Assessments for Physician Practices
HIPAA Risk Assessments for Physician Practices Eric Sandhusen Corporate Compliance Director and Privacy Officer Lloyd Torres Director of Ambulatory HIM DISCLAIMER The statements and opinions presented
More informationCyber Self Assessment
Cyber Self Assessment According to Protecting Personal Information A Guide for Business 1 a sound data security plan is built on five key principles: 1. Take stock. Know what personal information you have
More informationSAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION
SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION Please Note: 1. THIS IS NOT A ONE-SIZE-FITS-ALL OR A FILL-IN-THE BLANK COMPLIANCE PROGRAM.
More informationNetwork Detective. HIPAA Compliance Module. 2015 RapidFire Tools, Inc. All rights reserved V20150201
Network Detective 2015 RapidFire Tools, Inc. All rights reserved V20150201 Contents Purpose of this Guide... 3 About Network Detective... 3 Overview... 4 Creating a Site... 5 Starting a HIPAA Assessment...
More informationSUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This
More informationNetwork and Security Controls
Network and Security Controls State Of Arizona Office Of The Auditor General Phil Hanus IT Controls Webinar Series Part I Overview of IT Controls and Best Practices Part II Identifying Users and Limiting
More informationIT Disaster Recovery Plan Template
HOPONE INTERNET CORP IT Disaster Recovery Plan Template Compliments of: Tim Sexton 1/1/2015 An information technology (IT) disaster recovery (DR) plan provides a structured approach for responding to unplanned
More informationSupplier IT Security Guide
Revision Date: 28 November 2012 TABLE OF CONTENT 1. INTRODUCTION... 3 2. PURPOSE... 3 3. GENERAL ACCESS REQUIREMENTS... 3 4. SECURITY RULES FOR SUPPLIER WORKPLACES AT AN INFINEON LOCATION... 3 5. DATA
More informationJoseph Suchocki HIPAA Compliance 2015
Joseph Suchocki HIPAA Compliance 2015 Sponsored by Eagle Associates, Inc. Eagle Associates provides compliance services for over 1,200 practices nation wide. Services provided by Eagle Associates address
More informationHIPAA Compliance Guide
HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care
More information<Client Name> IT Disaster Recovery Plan Template. By Paul Kirvan, CISA, CISSP, FBCI, CBCP
IT Disaster Recovery Plan Template By Paul Kirvan, CISA, CISSP, FBCI, CBCP Revision History REVISION DATE NAME DESCRIPTION Original 1.0 2 Table of Contents Information Technology Statement
More informationOFFICE OF THE STATE AUDITOR General Controls Review Questionnaire
OFFICE OF THE STATE AUDITOR Agency: * University Please answer all of the following questions. Where we ask for copies of policies and procedures and other documentation, we would prefer this in electronic
More informationCountering and reducing ICT security risks 1. Physical and environmental risks
Countering and reducing ICT security risks 1. Physical and environmental risks 1. Physical and environmental risks Theft of equipment from staff areas and Theft of equipment from public areas Theft of
More informationCHIS, Inc. Privacy General Guidelines
CHIS, Inc. and HIPAA CHIS, Inc. provides services to healthcare facilities and uses certain protected health information (PHI) in connection with performing these services. Therefore, CHIS, Inc. is classified
More informationHIPAA Privacy and Security Requirements
600 East Superior Street, Suite 404 I Duluth, MN 55802 I Ph. 800.997.6685 or 218.727.9390 I www.ruralcenter.org HIPAA Privacy and Security Requirements Joe Wivoda CIO and HIT Consultant June 19, 2013 Purpose
More informationNationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011
Nationwide Review of CMS s HIPAA Oversight Brian C. Johnson, CPA, CISA Wednesday, January 19, 2011 1 WHAT I DO Manage Region IV IT Audit and Advance Audit Technique Staff (AATS) IT Audit consists of 8
More informationHIPAA: Bigger and More Annoying
HIPAA: Bigger and More Annoying Instructor: Laney Kay, JD Contact information: 4640 Hunting Hound Lane Marietta, GA 30062 (770) 312-6257 (770) 998-9204 (fax) laney@laneykay.com www.laneykay.com OFFICIAL
More informationHIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist
HIPAA Omnibus Rule Overview Presented by: Crystal Stanton MicroMD Marketing Communication Specialist 1 HIPAA Omnibus Rule - Agenda History of the Omnibus Rule What is the HIPAA Omnibus Rule and its various
More informationThe HIPAA Security Rule Primer A Guide For Mental Health Practitioners
The HIPAA Security Rule Primer A Guide For Mental Health Practitioners Distributed by NASW Printer-friendly PDF 2006 APAPO 1 Contents Click on any title below to jump to that page. 1 What is HIPAA? 3 2
More informationHIPAA Security Series
7 Security Standards: Implementation for the Small Provider What is the Security Series? The security series of papers provides guidance from the Centers for Medicare & Medicaid Services (CMS) on the rule
More informationHosted Testing and Grading
Hosted Testing and Grading Technical White Paper July 2014 www.lexmark.com Lexmark and Lexmark with diamond design are trademarks of Lexmark International, Inc., registered in the United States and/or
More informationUNIVERSITY OF CALIFORNIA, SANTA CRUZ 2015 HIPAA Security Rule Compliance Workbook
Introduction Per UCSC's HIPAA Security Rule Compliance Policy 1, all UCSC entities subject to the HIPAA Security Rule ( HIPAA entities ) must implement the UCSC Practices for HIPAA Security Rule Compliance
More informationInformation Technology General Controls Review (ITGC) Audit Program Prepared by:
Information Technology General Controls Review (ITGC) Audit Program Date Prepared: 2012 Internal Audit Work Plan Objective: IT General Controls (ITGC) address the overall operation and activities of the
More informationWhat s New with HIPAA? Policy and Enforcement Update
What s New with HIPAA? Policy and Enforcement Update HHS Office for Civil Rights New Initiatives Precision Medicine Initiative (PMI), including Access Guidance Cybersecurity Developer portal NICS Final
More informationWHITEPAPER XMEDIUSFAX CLOUD FOR HEALTHCARE AND HIPAA COMPLIANCE
WHITEPAPER XMEDIUSFAX CLOUD FOR HEALTHCARE AND HIPAA COMPLIANCE INTRODUCTION The healthcare industry is driven by many specialized documents. Each day, volumes of critical information are sent to and from
More informationDatto Compliance 101 1
Datto Compliance 101 1 Overview Overview This document provides a general overview of the Health Insurance Portability and Accounting Act (HIPAA) compliance requirements for Managed Service Providers (MSPs)
More informationThe HIPAA Security Rule Primer Compliance Date: April 20, 2005
AMERICAN PSYCHOLOGICAL ASSOCIATION PRACTICE ORGANIZATION Practice Working for You The HIPAA Security Rule Primer Compliance Date: April 20, 2005 Printer-friendly PDF 1 Contents Click on any title below
More informationHIPAA Security Education. Updated May 2016
HIPAA Security Education Updated May 2016 Course Objectives v This computer-based learning course covers the HIPAA, HITECH, and MSHA Privacy and Security Program which includes relevant Information Technology(IT)
More informationHIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing
HIPAA Omnibus Rule Practice Impact Kristen Heffernan MicroMD Director of Prod Mgt and Marketing 1 HIPAA Omnibus Rule Agenda History of the Rule HIPAA Stats Rule Overview Use of Personal Health Information
More informationManaged Hosting & Datacentre PCI DSS v2.0 Obligations
Any physical access to devices or data held in an Melbourne datacentre that houses a customer s cardholder data must be controlled and restricted only to approved individuals. PCI DSS Requirements Version
More informationDESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE
DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the
More informationHIPAA Security and HITECH Compliance Checklist
HIPAA Security and HITECH Compliance Checklist A Compliance Self-Assessment Tool HIPAA SECURITY AND HITECH CHECKLIST The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires physicians
More informationSECURITY RISK ASSESSMENT SUMMARY
Providers Business Name: Providers Business Address: City, State, Zip Acronyms NIST FIPS PHI EPHI BA CE EHR HHS IS National Institute of Standards and Technology Federal Information Process Standards Protected
More informationCompliance Challenges. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard. Increased Audits & On-site Investigations
Enabling a HITECH & HIPAA Compliant Organization: Addressing Meaningful Use Mandates & Ensuring Audit Readiness Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard Compliance Mandates Increased
More informationWhy Lawyers? Why Now?
TODAY S PRESENTERS Why Lawyers? Why Now? New HIPAA regulations go into effect September 23, 2013 Expands HIPAA safeguarding and breach liabilities for business associates (BAs) Lawyer is considered a business
More informationSWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE
SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the specific
More informationOffsite Disaster Recovery Plan
1 Offsite Disaster Recovery Plan Offsite Disaster Recovery Plan Presented By: Natan Verkhovsky President Disty Portal Inc. 2 Offsite Disaster Recovery Plan Introduction This document is a comprehensive
More informationHIPAA Security Checklist
HIPAA Security Checklist The following checklist summarizes HIPAA Security Rule requirements that should be implemented by covered entities and business associates. The citations are to 45 CFR 164.300
More informationHIPAA HANDBOOK. Keeping your backup HIPAA-compliant
The federal Health Insurance Portability and Accountability Act (HIPAA) spells out strict regulations for protecting health information. HIPAA is expansive and can be a challenge to navigate. Use this
More informationCloud Computing. Chapter 10 Disaster Recovery and Business Continuity and the Cloud
Cloud Computing Chapter 10 Disaster Recovery and Business Continuity and the Cloud Learning Objectives Define and describe business continuity. Define and describe disaster recovery. Describe the benefits
More informationThe City of New York Office of the Comptroller Bureau of Financial Audit EDP Audit Division
The City of New York Office of the Comptroller Bureau of Financial Audit EDP Audit Division WILLIAM C. THOMPSON, JR. Comptroller Follow-Up Report on the New York City Fire Department Arson Information
More informationHIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics
HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 5. 2. Security Standards - Organizational, Security Policies Standards & Procedures, - Administrative and Documentation Safeguards
More informationProcedure Title: TennDent HIPAA Security Awareness and Training
Procedure Title: TennDent HIPAA Security Awareness and Training Number: TD-QMP-P-7011 Subject: Security Awareness and Training Primary Department: TennDent Effective Date of Procedure: 9/23/2011 Secondary
More informationDISASTER RECOVERY PLAN
DISASTER RECOVERY PLAN Section 1. Goals of a Disaster Recovery Plan The major goals of a disaster recovery plan are: To minimize interruptions to normal operations. To limit the extent of disruption and
More informationSITECATALYST SECURITY
SITECATALYST SECURITY Ensuring the Security of Client Data June 6, 2008 Version 2.0 CHAPTER 1 1 Omniture Security The availability, integrity and confidentiality of client data is of paramount importance
More informationHealthcare Security Vulnerabilities. Adam Goslin Chief Operations Officer High Bit Security
Healthcare Security Vulnerabilities Adam Goslin Chief Operations Officer High Bit Security Webinar Overview IT Security and Data Loss Breach Sources / Additional Information Recent Medical Breach / Loss
More informationCONTINUITY AND RECOVERY PLANNING GUIDE
CONTINUITY AND RECOVERY PLANNING GUIDE The Continuity Planning process is designed to assist an organization in determining action plans for disaster recovery or incident response. The process also aids
More informationBEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050
BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050 Adopting Multnomah County HIPAA Security Policies and Directing the Appointment of Information System Security
More informationEnabling Solutions for HIPAA Compliance. Presented by: Mike McDermand
Enabling Solutions for HIPAA Compliance Presented by: Mike McDermand HIPAA Agenda About Computer Associates International, Inc. (CA) AHA HCCA HIPAA security survey Summary results Highlights of responses
More informationSecurity Manual Template Policy and Procedure Manual Compliance Management Made Easy ISO 27000 / HIPAA / SOX / CobiT / FIPS 199 Compliant
Brochure More information from http://www.researchandmarkets.com/reports/3302152/ Security Manual Template Policy and Procedure Manual Compliance Management Made Easy ISO 27000 / HIPAA / SOX / CobiT /
More informationOPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE
OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the specific documents requested,
More informationState HIPAA Security Policy State of Connecticut
Health Insurance Portability and Accountability Act State HIPAA Security Policy State of Connecticut Release 2.0 November 30 th, 2004 Table of Contents Executive Summary... 1 Policy Definitions... 3 1.
More informationCIBHS Small Counties HIPAA Training; HIPAA for Executive Leadership and HIPAA Compliance for IT
CIBHS Small Counties HIPAA Training; HIPAA for Executive Leadership and HIPAA Compliance for IT Class Date: January 29, 2016 Webinar Questions/Follow-Up Answers Question Please expand on the Treatment
More informationA Nemaris Company. Formal Privacy & Security Assessment For Surgimap version 2.2.6 and higher
A Nemaris Company Formal Privacy & Security Assessment For Surgimap version 2.2.6 and higher 306 East 15 th Street Suite 1R, New York, New York 10003 Application Name Surgimap Vendor Nemaris Inc. Version
More informationto EMR transition Contents
Best Practices Guide HIPAA Primer series HEALTHCARE Iron Mountain Document Conversion Services The HIPAA-compliant approach to EMR transition Contents 3 EMR Transition: The Growing Importance of Document
More informationNetwork Security for End Users in Health Care
Network Security for End Users in Health Care Virginia Health Information Technology Regional Extension Center is funded by grant #90RC0022/01 from the Office of the National Coordinator for Health Information
More informationUniversity of Pittsburgh Security Assessment Questionnaire (v1.5)
Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.5) Directions and Instructions for completing this assessment The answers provided
More informationCounty Identity Theft Prevention Program
INTRODUCTION CHAPTER OSCEOLA COUNTY IDENTITY THEFT PREVENTION PROGRAM The Osceola County Board of County Commissioners is committed to protecting consumers who do business with Osceola County, and as such
More informationINFORMATION SECURITY FOR YOUR AGENCY
INFORMATION SECURITY FOR YOUR AGENCY Presenter: Chad Knutson Secure Banking Solutions, LLC CONTACT INFORMATION Dr. Kevin Streff Professor at Dakota State University Director - National Center for the Protection
More informationLessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd
Lessons Learned from Recent HIPAA and Big Data Breaches Briar Andresen Katie Ilten Ann Ladd Recent health care breaches Breach reports to OCR as of February 2015 1,144 breaches involving 500 or more individual
More informationPatient Privacy and Security. Presented by, Jeffery Daigrepont
Patient Privacy and Security Presented by, Jeffery Daigrepont Jeffery Daigrepont, SVP No Financial Conflicts to Report Jeffery Daigrepont, Senior Vice President of The Coker Group, specializes in health
More informationby: Scott Baranowski Community Bank Auditors Group Best Practices in Auditing Record Retention, Safeguarding Paper Documents, GLBA and Privacy
Community Bank Auditors Group Best Practices in Auditing Record Retention, Safeguarding Paper Documents, GLBA and Privacy June 10, 2015 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT
More informationHealth Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)
Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Table of Contents Introduction... 1 1. Administrative Safeguards...
More informationREQUEST FOR QUOTE Department of Children and Families Office of Child Welfare National Youth in Transition Database Survey Tool January 27, 2014
REQUEST FOR QUOTE SUBJECT: Request for Quotes, State Term Contract #973-561-10-1, Information Technology Consulting Services TITLE: National Youth in Transition Database (NYTD) Survey Tool Proposal Software
More informationIT Checklist. for Small Business INFORMATION TECHNOLOGY & MANAGEMENT INTRODUCTION CHECKLIST
INFORMATION TECHNOLOGY & MANAGEMENT IT Checklist INTRODUCTION A small business is unlikely to have a dedicated IT Department or Help Desk. But all the tasks that a large organization requires of its IT
More informationUniversity of Illinois at Chicago Health Sciences Colleges Information Technology Group Security Policies Summary
University of Illinois at Chicago Health Sciences Colleges Information Technology Group Security Policies Summary This Summary was prepared March 2009 by Ian Huggins prior to HSC adoption of the most recent
More informationTufts Health Plan Corporate Continuity Strategy
Tufts Health Plan Corporate Continuity Strategy July 2015 OVERVIEW The intent of this document is to provide external customers and auditors with a highlevel overview of the Tufts Health Plan Corporate
More informationCOLUMBUS STATE COMMUNITY COLLEGE POLICY AND PROCEDURES MANUAL
PAYMENT CARD INDUSTRY COMPLIANCE (PCI) Effective June 1, 2011 Page 1 of 6 (1) Definitions a. Payment Card Industry Data Security Standards (PCI-DSS): A set of standards established by the Payment Card
More informationIdentity Theft Prevention Program Compliance Model
September 29, 2008 State Rural Water Association Identity Theft Prevention Program Compliance Model Contact your State Rural Water Association www.nrwa.org Ed Thomas, Senior Environmental Engineer All
More informationIntro. Tod Ferran, CISSP, QSA. SecurityMetrics. 2 years PCI and HIPAA security consulting, performing entity compliance audits
HIPAA Security Rule & Live Hack Tod Ferran, CISSP, QSA Intro Tod Ferran, CISSP, QSA 25 years working with IT and physical security 2 years PCI and HIPAA security consulting, performing entity compliance
More information2011 2012 Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec.
The OCR Auditors are coming - Are you next? What to Expect and How to Prepare On June 10, 2011, the U.S. Department of Health and Human Services Office for Civil Rights ( OCR ) awarded KPMG a $9.2 million
More informationHIPAA SECURITY RULES FOR IT: WHAT ARE THEY?
HIPAA SECURITY RULES FOR IT: WHAT ARE THEY? HIPAA is a huge piece of legislation. Only a small portion of it applies to IT providers in healthcare; mostly the Security Rule. The HIPAA Security Rule outlines
More informationHIPAA and Mental Health Privacy:
HIPAA and Mental Health Privacy: What Social Workers Need to Know Presenter: Sherri Morgan, JD, MSW Associate Counsel, NASW Legal Defense Fund and Office of Ethics & Professional Review 2010 National Association
More information