Compliance Challenges. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard. Increased Audits & On-site Investigations
|
|
- Alexina Allen
- 8 years ago
- Views:
Transcription
1 Enabling a HITECH & HIPAA Compliant Organization: Addressing Meaningful Use Mandates & Ensuring Audit Readiness Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard Compliance Mandates Increased Audits & On-site Investigations Compliance Challenges Key Regulations State Regulations PCI DSS HIPAA Privacy HIPAA Security HITECH Act FACTA (Red Flags Rule) FISMA
2 Meaningful Use: Stage 1 Core Set Mandate Ensure adequate privacy and security protections for personal health information Through use of policies, procedures, and technologies Meaningful Use Stage 1 Objective (Final Rule) Protect EHR created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities Meaningful Use Stage 1 Measure (Final Rule) Conduct or review a security risk analysis and implement security updates as necessary and correct identified security deficiencies as part of the risk management process Meaningful Use: HITECH Act Compliance with HIPAA's Privacy & Security Rules remain part of the meaningful use definition as a policy priority, with corresponding goals and objectives for 2011 CMS will withhold meaningful use payment for any entity until any confirmed HIPAA privacy or security violation has been resolved State Medicaid administrators will withhold meaningful use payment until any confirmed state privacy or security violation has been resolved EHR initiatives are coupled with increased privacy and security compliance with mandates State Regulations California SB 1386 requires notification of security breaches involving unencrypted sensitive data AB 1950 requires that organizations take reasonable precautions to protect CA residents personal data AB 1298 expands data breach notification law to include unencrypted medical histories, health insurance information, medical treatments & diagnoses SB 541 requires breaches must be disclosed to the affected patients AB 211 includes fines starting from $2,500 to $25,000 per violation for organizations that negligently disclose patient records
3 Massachusetts 201 CMR Comprehensive Written Information Security Program Establishes minimal standards for safeguarding personal information contained in both paper and electronic records Requires each covered business to develop, implement, maintain and monitor a comprehensive written information security program that applies to records that contain Massachusetts residents personal information Security program must include administrative, technical and physical safeguards to protect such records Regulations also require businesses that store or transmit personal information about Massachusetts residents to (201 CMR 17.04): Restrict access by use of passwords Deploy updated malware protection Encrypt information transmitted across public or wireless networks Monitor all systems to detect unauthorized access Encrypt information stored on laptops Incorporate firewalls State of Connecticut IC-25 All insurance companies doing business in Connecticut must report information breaches to state authorities within five calendar days, even if the data involved was encrypted The new state insurance breach reporting policy applies to health maintenance organizations, preferred provider organizations, and other health insurers, as well as property and casualty insurers, pharmacy benefit managers and medical discount plans It does not apply to hospitals and physicians A tough regulation which applies to paper and electronic records Rising Risk to Business Rising Risk to Business Risk to Information is a Risk to Business
4 Recent Breaches Nationwide 1. State: Texas Approx. # of Individuals Affected: 600 Date of Breach: 5/29/10 Location of Breached Information: Network Server 3. Rainbow Hospice and Palliative Care State: Illinois Approx. # of Individuals Affected: 1,000 Date of Breach: 4/12/10 Location of Breached Information: Laptop 2. State: Arizona Approx. # of Individuals Affected: 5,893 Date of Breach: 5/15/10 Location of Breached Information: Laptop 4. Emergency Healthcare Physicians, Ltd. State: Illinois Business Associate Involved: Millennium Medical Management Resources, Inc. Approx. # of Individuals Affected: 180,111 Date of Breach: 2/27/10 Location of Breached Information: Portable Electronic Device, Other Recent Breaches in CA 1. Children's Hospital & Research Center at Oakland Approx. # of Individuals Affected: 1,000 Date of Breach: 5/25/10 and 5/26/2010 Type of Breach: Other Location of Breached Information: Paper 2. Loma Linda University Health Care Approx. # of Individuals Affected: 584 Date of Breach: 4/04/10 Location of Breached Information: Desktop Computer 3. Silicon Valley Eyecare Optometry and Contact Lenses Approx. # of Individuals Affected: 40,000 Date of Breach: 4/02/10 Location of Breached Information: Network Server 4. St. Joseph Heritage Healthcare Approx. # of Individuals Affected: 22,012 Date of Breach: 3/06/10 Location of Breached Information: Desktop Computer 5. John Muir Physician Network Approx. # of Individuals Affected: 5,450 Date of Breach: 2/04/10 Location of Breached Information: Laptop Is Your Organization Next? Harris County Hospital, Texas Administrator lost medical/financial records of 1,200 patients with HIV/AIDS Information was on a portable flash drive Data was not password protected nor encrypted Staten Island University Hospital, NY Computer with Medical Records Stolen - Patients informed 4 months later UCSF Medical Center Information on patients was accessible on the Internet - Patients informed 6 months later New York-Presbyterian Hospital/Weill Cornell Medical Center 2000 patient records sold; 50,000 improperly accessed University of Utah Health Care Password protected but unencrypted laptop with data on 4,800 people was stolen after hours from a locked room University of Minnesota Reproductive Medicine Center Doctor lost an unencrypted portable storage device with information on 3,100 patients
5 Data Breach Reach New Heights Cost of data breach rose to $202 for each compromised record Average cost of healthcare breach was $282 for each record Average expense to an organization was $6.6 million Vast majority caused by negligence Portable devices, laptops are responsible for growing # of breaches Source: The Wall Street Journal, February 2, 2009 How prepared is your organization? Key Definitions Breach The term breach means the unauthorized acquisition, access, use, or disclosure of sensitive information which compromises the security or privacy of sensitive information such that it poses a significant risk of financial, reputational, or other harm to the individual Unsecured Sensitive Information Sensitive information must be rendered unusable, unreadable, or indecipherable to unauthorized individuals Encryption Use of an algorithmic process to transform data into a forms in which there is low probability of assigning meaning without use of a confidential process or key an such confidential process or key that might enable decryption has not been breached What Federal Agencies Expect! Organizations must: Identify if breach affects 500 or more OR Less than 500 Initial Report, Addendum to Previous Report Provide covered entity contact information Identify if breach occurred at or by a Business Associate Breach Date of breach, Date of Discovery Approx # of impacted individuals Type of Breach Theft, Loss, Improper disposal, Unauthorized access, Hacking/IT incident Other, Unknown Type of Sensitive Information Involved in Breach: Demographic information Financial information Clinical Information Other
6 What Federal Agencies Expect! Brief Description of Breach Location How it occurred? Additional information: type of breach, type of media, type of PHI Safeguards in Place Prior to Breach Firewalls, Packet filtering (router based) Secure Browser Sessions, Logical Access Control Strong Authentication, Encrypted Wireless, Physical Security Anti-virus Software, Intrusion Detection, Biometrics Action in Response to Breach: Security and/or Privacy Safeguards Mitigation Sanctions Policies & Procedures Other Attestation Establishing s a Security Program What Is Your Information Security Framework? A Checklist for Compliance Critical Action: Conduct a Risk Analysis
7 ISO 27000: A Global Information Security Standard A comprehensive set of controls comprising best practices in information security Comprised of: A code of practice A specification for an information security management system Intended to serve as a single reference point for identifying a range of controls needed for most situations where information systems are used in industry and commerce What Is Your Security Framework? PCI DSS A Global Data Security Standard 1. Build and Maintain a Secure Network 1. Firewall configuration 2. Vendor defaults 2. Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission 3. Maintain a Vulnerability Management Program 5. Update anti-virus software 6. Maintain secure systems and applications 4. Implement Strong Access Control Measures 7. Restrict access need to know 8. Assign unique ID s 9. Restrict physical access 5. Regularly Monitor and Test Networks 10. Track and monitor all access 11. Regularly test security processes 6. Maintain an Information Security Policy 12. Maintain policies Checklist for Audits Entity-wide Security Plan Risk Analysis (most recent) Risk Management Plan (addressing risks identified in the Risk Analysis) Security violation monitoring reports Vulnerability scanning plans Results from most recent vulnerability scan Network penetration testing policy and procedure Results from most recent network penetration test List of all user accounts with access to systems which store, transmit, or access EPHI (for active and terminated employees) Encryption or equivalent measures implemented on systems that store, transmit, or access EPHI
8 Checklist for Audits - Policies Prevention, detection, containment, and correction of security violations Employee background checks and confidentiality agreements Establishing user access for new and existing employees List of authentication methods used to identify users authorized to access EPHI List of individuals and contractors with access to EPHI to include copies pertinent business associate agreements List of software used to manage and control access to the Internet Detecting, reporting, and responding to security incidents Physical security Encryption and decryption of EPHI Mechanisms to ensure integrity of data during transmission - including portable media transmission Checklist for Audits - Procedures Monitoring systems use - authorized and unauthorized Use of wireless networks Granting, approving, and monitoring systems access (for example, by level, role, and job function) Sanctions for workforce members in violation of policies and procedures governing EPHI access or use Termination of systems access Session termination policies and procedures for inactive computer systems Policies and procedures for emergency access to electronic information systems Password management policies and procedures Disposal of media and devices containing EPHI Secure workstation use Addressing HITECH Breach Mandates Develop policy on Discovery, Reporting & Notification of Information Breaches Create a specific procedure for information breach management Develop specific procedure for information breach notification Conduct training for all members of the workforce 2010 & Beyond: It s About PII Personally Identifiable Information
9 Beyond PHI. PII. Personally Identifiable Information Until now, it has been about Protected Health Information (PHI) HIPAA Privacy Electronic Protected t Health Information (EPHI) HIPAA Security Unsecured PHI HITECH Act Cardholder information PCI DSS Personal data or information State Regulations 2010 and beyond it is about PII What PII does your organization come into contact with? Where is PII in your organization? How is the PII secured in your organization? Incident Response for Breaches of PII What is Your Formal Plan? 1. Preparation 1. Build PII breach response as part of incident response 2. Develop appropriate policies & procedures 3. Employees must understand d what constitutes t a PII breach 4. Develop a comprehensive breach notification plan 2. Detection and Analysis 1. Implement detection & analysis technologies & techniques 2. Make adjustments as needed 3. Containment, Eradication & Recovery 1. Perform additional media sanitization steps 2. Ensure proper forensics techniques are practiced 4. Post-Incident Activity 1. Learn and update PII breach response plan Information Security Program Strategy Core to the Edge and the Cloud Physical Security Firewall Systems IDS/IPS Identity Management Encryption Critical Info & Vital Assets Security Strategy Must be Risk-based, Pro-active, Integrated!
10 Pabrai s Laws of Information Security Is Your Security Kismet or Karma? 1. There is no such thing as a 100% secure environment 2. Security is only as strong as your weakest link 3. Security defenses must be integrated and include robust (passive) and roving (active) controls to ensure a resilient enterprise 4. Security incidents provide the foundation for security intelligence Is Your Enterprise Security? Kismet A Reactive Security Framework Karma A Proactive Security Framework The ecfirst STePS TM Program Exclusive StePS TM - Meaningful Use/EHR Program components include: Private Webcast: Raise Knowledge of Your Organization Risk Analysis of one EHR Application Know Your Meaningful Use Score! Report Card on Status HIPAA Privacy & HIPAA Security Policy Templates HITECH Data Breach Policy & Procedures EHR Vendor Evaluation & Coordination Ali Pabrai, Pabrai@ecfirst.com
Checklist for Breach Readiness. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) For Daily Compliance & Security Tips, Follow ecfirst @
Checklist for Breach Readiness Enabling a Resilient Organization Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) For Daily Compliance & Security Tips, Follow ecfirst @ Agenda Facts about breach violation impact
More informationChecklist for HIPAA/HITECH Compliance Best Practices for Healthcare Information Security
Checklist for HIPAA/HITECH Compliance Best Practices for Healthcare Information Security Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) For Daily Compliance & Security Tips, Follow ecfirst @ Agenda Review the
More informationData Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, 2014 2:15pm 3:30pm
Electronic Health Records: Data Security and Integrity of e-phi Worcester, MA Wednesday, 2:15pm 3:30pm Agenda Introduction Learning Objectives Overview of HIPAA HIPAA: Privacy and Security HIPAA: The Security
More informationOverview of the HIPAA Security Rule
Office of the Secretary Office for Civil Rights () Overview of the HIPAA Security Rule Office for Civil Rights Region IX Alicia Cornish, EOS Sheila Fischer, Supervisory EOS Topics Upon completion of this
More informationThis presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in
This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in the HIPAA Omnibus Rule of 2013. As part of the American
More information8/3/2015. Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice
Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice Monday, August 3, 2015 1 How to ask a question during the webinar If you dialed in to this webinar on your phone
More informationNationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011
Nationwide Review of CMS s HIPAA Oversight Brian C. Johnson, CPA, CISA Wednesday, January 19, 2011 1 WHAT I DO Manage Region IV IT Audit and Advance Audit Technique Staff (AATS) IT Audit consists of 8
More informationMIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)
MIT s Information Security Program for Protecting Personal Information Requiring Notification (Revision date: 2/26/10) Table of Contents 1. Program Summary... 3 2. Definitions... 4 2.1 Identity Theft...
More informationPCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst. 2010. Page 1 of 7 www.ecfirst.com
Policy/Procedure Description PCI DSS Policies Install and Maintain a Firewall Configuration to Protect Cardholder Data Establish Firewall and Router Configuration Standards Build a Firewall Configuration
More informationThe CIO s Guide to HIPAA Compliant Text Messaging
The CIO s Guide to HIPAA Compliant Text Messaging Executive Summary The risks associated with sending Electronic Protected Health Information (ephi) via unencrypted text messaging are significant, especially
More information2011 2012 Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec.
The OCR Auditors are coming - Are you next? What to Expect and How to Prepare On June 10, 2011, the U.S. Department of Health and Human Services Office for Civil Rights ( OCR ) awarded KPMG a $9.2 million
More informationSecurity Compliance, Vendor Questions, a Word on Encryption
Security Compliance, Vendor Questions, a Word on Encryption Alexis Parsons, RHIT, CPC, MA Director, Health Information Services Security/Privacy Officer Shasta Community Health Center aparsons@shastahealth.org
More informationHIPAA Security Alert
Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information
More informationHeather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com
Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com HIPAA Privacy Rule Sets standards for confidentiality and privacy of individually
More informationCOMPLIANCE ALERT 10-12
HAWAII HEALTH SYSTEMS C O R P O R A T I O N "Touching Lives Every Day COMPLIANCE ALERT 10-12 HIPAA Expansion under the American Recovery and Reinvestment Act of 2009 The American Recovery and Reinvestment
More informationHow to use the Alertsec Service to Achieve HIPAA Compliance for Your Organization
How to use the Alertsec Service to Achieve HIPAA Compliance for Your Organization Alertsec offers Cloud Managed - Policy Controlled - Security Modules for Ensuring Compliance at the Endpoints Contents
More informationNCHICA HITECH Act Breach Notification Risk Assessment Tool. Prepared by the NCHICA Privacy, Security & Legal Officials Workgroup
NCHICA HITECH Act Breach Notification Risk Assessment Tool Prepared by the NCHICA Privacy, Security & Legal Officials Workgroup NORTH CAROLINA HEALTHCARE INFORMATION AND COMMUNICATIONS ALLIANCE, INC August
More informationPlease Read. Apgar & Associates, LLC apgarandassoc.com P. O. Box 80278 Portland, OR 97280 503-384-2538 877-376-1981 503-384-2539 Fax
Please Read This business associate audit questionnaire is part of Apgar & Associates, LLC s healthcare compliance resources, Copyright 2014. This questionnaire should be viewed as a tool to aid in evaluating
More informationHIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant
1 HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant Introduction U.S. healthcare laws intended to protect patient information (Protected Health Information or PHI) and the myriad
More informationWhat do you need to know?
What do you need to know? DISCLAIMER Please note that the information provided is to inform our clients and friends of recent HIPAA and HITECH act developments. It is not intended, nor should it be used,
More informationHIPAA Compliance Guide
HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care
More informationNetwork Security for End Users in Health Care
Network Security for End Users in Health Care Virginia Health Information Technology Regional Extension Center is funded by grant #90RC0022/01 from the Office of the National Coordinator for Health Information
More informationHIPAA and the HITECH Act Privacy and Security of Health Information in 2009
HIPAA and the HITECH Act Privacy and Security of Health Information in 2009 What is HIPAA? Health Insurance Portability & Accountability Act of 1996 Effective April 13, 2003 Federal Law HIPAA Purpose:
More informationHIPAA security rules of engagement
healthcare HIPAA security rules of engagement The use of health information technology continues to expand in healthcare. Healthcare organizations are using web-based applications and other portals that
More informationHIPAA Email Compliance & Privacy. What You Need to Know Now
HIPAA Email Compliance & Privacy What You Need to Know Now Introduction The Health Insurance Portability and Accountability Act of 1996 (HIPAA) places a number of requirements on the healthcare industry
More informationHIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing
HIPAA Omnibus Rule Practice Impact Kristen Heffernan MicroMD Director of Prod Mgt and Marketing 1 HIPAA Omnibus Rule Agenda History of the Rule HIPAA Stats Rule Overview Use of Personal Health Information
More informationMy Docs Online HIPAA Compliance
My Docs Online HIPAA Compliance Updated 10/02/2013 Using My Docs Online in a HIPAA compliant fashion depends on following proper usage guidelines, which can vary based on a particular use, but have several
More informationHow To Protect Yourself From Cyber Threats
Cyber Security for Non- Profit Organizations Scott Lawler CISSP- ISSAP, ISSMP, HCISPP Copyright 2015 LP3 May 2015 Agenda IT Security Basics e- Discovery Compliance Legal Risk Disaster Plans Non- Profit
More informationTrust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits
HIPAA Breaches, Security Risk Analysis, and Audits Derrick Hill Senior Health IT Advisor Kentucky REC Why Does Privacy and Security Matter? Trust Who Must Comply with HIPAA Rules? Covered Entities (CE)
More informationOCR UPDATE Breach Notification Rule & Business Associates (BA)
OCR UPDATE Breach Notification Rule & Business Associates (BA) Alicia Galan Supervisory Equal Opportunity Specialist March 7, 2014 HITECH OMNIBUS A Reminder of What s Included: Final Modifications of the
More informationHosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE
Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE [ Hosting for Healthcare: Addressing the Unique Issues of Health IT & Achieving End-to-End Compliance
More informationPatient Privacy and Security. Presented by, Jeffery Daigrepont
Patient Privacy and Security Presented by, Jeffery Daigrepont Jeffery Daigrepont, SVP No Financial Conflicts to Report Jeffery Daigrepont, Senior Vice President of The Coker Group, specializes in health
More informationHow To Protect Your Data From Being Stolen
DATA SECURITY & PCI DSS COMPLIANCE PROTECTING CUSTOMER DATA WHAT IS PCI DSS? PAYMENT CARD INDUSTRY DATA SECURITY STANDARD A SET OF REQUIREMENTS FOR ANY ORGANIZATION OR MERCHANT THAT ACCEPTS, TRANSMITS
More informationPrivacy Legislation and Industry Security Standards
Privacy Legislation and Issue No. 3 01010101 01010101 01010101 Information is generated about and collected from individuals at an unprecedented rate in the ordinary course of business. In most cases,
More informationNew HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010
New HIPAA Breach Notification Rule: Know Your Responsibilities Loudoun Medical Group Spring 2010 Health Information Technology for Economic and Clinical Health Act (HITECH) As part of the Recovery Act,
More informationLessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd
Lessons Learned from Recent HIPAA and Big Data Breaches Briar Andresen Katie Ilten Ann Ladd Recent health care breaches Breach reports to OCR as of February 2015 1,144 breaches involving 500 or more individual
More informationInformation Protection Framework: Data Security Compliance and Today s Healthcare Industry
Information Protection Framework: Data Security Compliance and Today s Healthcare Industry Executive Summary Today s Healthcare industry is facing complex privacy and data security requirements. The movement
More informationAre You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style.
Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style March 27, 2013 www.mcguirewoods.com Introductions Holly Carnell McGuireWoods LLP
More informationWhat s New with HIPAA? Policy and Enforcement Update
What s New with HIPAA? Policy and Enforcement Update HHS Office for Civil Rights New Initiatives Precision Medicine Initiative (PMI), including Access Guidance Cybersecurity Developer portal NICS Final
More informationBUSINESS ASSOCIATE AGREEMENT. Business Associate. Business Associate shall mean.
BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement is made as of the day of, 2010, by and between Methodist Lebonheur Healthcare, on behalf of itself and all of its affiliates ( Covered Entity
More informationHealthcare Compliance Solutions
Healthcare Compliance Solutions Let Protected Trust be your Safe Harbor In the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH), the U.S. Department of Health and Human
More informationHIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist
HIPAA Omnibus Rule Overview Presented by: Crystal Stanton MicroMD Marketing Communication Specialist 1 HIPAA Omnibus Rule - Agenda History of the Omnibus Rule What is the HIPAA Omnibus Rule and its various
More informationHIPAA COMPLIANCE PLAN FOR 2013
HIPAA COMPLIANCE PLAN FOR 2013 Welcome! Presentor is Rebecca Morehead, Practice Manager Strategist www.practicemanagersolutions.com Meaningful Use? As a way to encourage hospitals and providers to adopt
More informationBEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050
BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050 Adopting Multnomah County HIPAA Security Policies and Directing the Appointment of Information System Security
More informationWhat is HIPAA? The Health Insurance Portability and Accountability Act of 1996
What is HIPAA? The Health Insurance Portability and Accountability Act of 1996 BASIC QUESTIONS AND ANSWERS What Does HIPAA do? Creates national standards to protect individuals' medical records and other
More informationFIVE EASY STEPS FOR HANDLING NEW HIPAA REQUIREMENTS & MANAGING YOUR ELECTRONIC COMMUNICATIONS
FIVE EASY STEPS FOR HANDLING NEW HIPAA REQUIREMENTS & MANAGING YOUR ELECTRONIC COMMUNICATIONS James J. Eischen, Jr., Esq. October 2013 Chicago, Illinois JAMES J. EISCHEN, JR., ESQ. Partner at Higgs, Fletcher
More informationDatto Compliance 101 1
Datto Compliance 101 1 Overview Overview This document provides a general overview of the Health Insurance Portability and Accounting Act (HIPAA) compliance requirements for Managed Service Providers (MSPs)
More informationHIPAA PRIVACY AND SECURITY AWARENESS. Covering Kids and Families of Indiana April 10, 2014
HIPAA PRIVACY AND SECURITY AWARENESS Covering Kids and Families of Indiana April 10, 2014 GOALS AND OBJECTIVES The goal is to provide information to you to promote personal responsibility and behaviors
More informationHIPAA in the Cloud How to Effectively Collaborate with Cloud Providers
How to Effectively Collaborate with Cloud Providers Agenda Overview of Topics Covered Agenda Evolution of the Cloud Comparison of Private vs. Public Clouds Other Regulatory Frameworks Similar to HIPAA
More informationHIPAA Audits: How to Be Prepared. Lindsey Wiley, MHA, CHTS-IM, CHTS-TS HIT Manager Oklahoma Foundation for Medical Quality
HIPAA Audits: How to Be Prepared Lindsey Wiley, MHA, CHTS-IM, CHTS-TS HIT Manager Oklahoma Foundation for Medical Quality An Important Reminder For audio, you must use your phone: Step 1: Call (866) 906-0123.
More informationOCR HIPAA Audit Readiness. ISACA - North Texas Chapter April 11, 2013
ISACA - North Texas Chapter April 11, 2013 Introduction 1 2 Basic components of HIPAA and HITECH legislation HITECH and rising breaches 3 4 OCR HIPAA audits Key findings of the pilot audits 5 Approaches
More informationM E M O R A N D U M. Definitions
M E M O R A N D U M DATE: November 10, 2011 TO: FROM: RE: Krevolin & Horst, LLC HIPAA Obligations of Business Associates In connection with the launch of your hosted application service focused on practice
More informationOverview of Topics Covered
How to Effectively Collaborate with Cloud Providers Agenda Overview of Topics Covered Agenda Evolution of the Cloud Comparison of Private vs. Public Clouds Other Regulatory Frameworks Similar to HIPAA
More informationWHITE PAPER: MASSACHUSETTS DATA SECURITY REGULATIONS
WHITE PAPER: MASSACHUSETTS DATA SECURITY REGULATIONS Introduction Massachusetts regulations set forth minimum requirements for both the protection of personal information and the electronic storage or
More informationSolutions Brief. PC Encryption Regulatory Compliance. Meeting Statutes for Personal Information Privacy. Gerald Hopkins Cam Roberson
Solutions Brief PC Encryption Regulatory Compliance Meeting Statutes for Personal Information Privacy Gerald Hopkins Cam Roberson March, 2013 Personal Information at Risk Legislating the threat Since the
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (Hereinafter "Agreement") dated as of, 2013, is made by and between (Hereinafter Covered Entity ) and (Hereinafter Business Associate ). ARTICLE
More informationBUSINESS ASSOCIATE PRIVACY AND SECURITY ADDENDUM RECITALS
BUSINESS ASSOCIATE PRIVACY AND SECURITY ADDENDUM This Business Associate Addendum ( Addendum ), effective, 20 ( Effective Date ), is entered into by and between University of Southern California, ( University
More informationManaging data security and privacy risk of third-party vendors
Managing data security and privacy risk of third-party vendors The use of third-party vendors for key business functions is here to stay. Routine sharing of critical information assets, including protected
More informationUpdates on HITECH and State Breach Notification and Security Requirements Robin Campbell
Who s Afraid Of A Big Bad Breach?: Updates on HITECH and State Breach Notification and Security Requirements Robin Campbell Overview Identifying the laws that protect personal information and protected
More informationSecurity Is Everyone s Concern:
Security Is Everyone s Concern: What a Practice Needs to Know About ephi Security Mert Gambito Hawaii HIE Compliance and Privacy Officer July 26, 2014 E Komo Mai! This session s presenter is Mert Gambito
More informationHIPAA in the Cloud. How to Effectively Collaborate with Cloud Providers
How to Effectively Collaborate with Cloud Providers Speaker Bio Chad Kissinger Chad Kissinger Founder OnRamp Chad Kissinger is the Founder of OnRamp, an industry leading high security and hybrid hosting
More informationWhen HHS Calls, Will Your Plan Be HIPAA Compliant?
When HHS Calls, Will Your Plan Be HIPAA Compliant? Petula Workman, J.D., CEBS Division Vice President Compliance Counsel Gallagher Benefit Services, Inc., Sugar Land, Texas The opinions expressed in this
More informationHealth Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)
Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Table of Contents Introduction... 1 1. Administrative Safeguards...
More informationBREVIUM HIPAA BUSINESS ASSOCIATE TERMS AND CONDITIONS
BREVIUM HIPAA BUSINESS ASSOCIATE TERMS AND CONDITIONS The following HIPAA Business Associate Terms and Conditions (referred to hereafter as the HIPAA Agreement ) are part of the Brevium Software License
More informationHIPAA In The Workplace. What Every Employee Should Know and Remember
HIPAA In The Workplace What Every Employee Should Know and Remember What is HIPAA? The Health Insurance Portability and Accountability Act of 1996 Portable Accountable Rules for Privacy Rules for Security
More informationHIPAA Security Overview of the Regulations
HIPAA Security Overview of the Regulations Presenter: Anna Drachenberg Anna Drachenberg has been assisting healthcare providers and hospitals comply with HIPAA and other federal regulations since 2008.
More informationHIPAA Security Rule Compliance
HIPAA Security Rule Compliance Caryn Reiker MAXIS360 HIPAA Security Rule Compliance what is it and why you should be concerned about it Table of Contents About HIPAA... 2 Who Must Comply... 2 The HIPAA
More informationArchitecting Security to Address Compliance for Healthcare Providers
Architecting Security to Address Compliance for Healthcare Providers What You Need to Know to Help Comply with HIPAA Omnibus, PCI DSS 3.0 and Meaningful Use November, 2014 Table of Contents Background...
More informationHIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS
HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS Thank you for taking the time to fill out the privacy & security checklist. Once completed, this checklist will help us get a better
More informationHITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?
HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What? Introduction This material is designed to answer some of the commonly asked questions by business associates and other organizations
More informationInformation Security Policy and Handbook Overview. ITSS Information Security June 2015
Information Security Policy and Handbook Overview ITSS Information Security June 2015 Information Security Policy Control Hierarchy System and Campus Information Security Policies UNT System Information
More informationThe Impact of HIPAA and HITECH
The Health Insurance Portability & Accountability Act (HIPAA), enacted 8/21/96, was created to protect the use, storage and transmission of patients healthcare information. This protects all forms of patients
More informationCan Your Diocese Afford to Fail a HIPAA Audit?
Can Your Diocese Afford to Fail a HIPAA Audit? PETULA WORKMAN & PHIL BUSHNELL MAY 2016 2016 ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS Agenda Overview Privacy Security Breach Notification Miscellaneous
More informationHIPAA & HITECH AND THE DISCOVERY PROCESS
HIPAA & HITECH AND THE DISCOVERY PROCESS HEATHER L. HUGHES, J.D. U.S. Legal Support, Inc. 363 North Sam Houston Parkway East, Suite 900 Houston, Texas 77060 (713) 653-7100 State Bar of Texas 8 th ANNUAL
More informationNetwork Security & Privacy Landscape
Network Security & Privacy Landscape Presented By: Pam Townley, AVP / Eastern Zonal Manager AIG Professional Liability Division Jennifer Bolling, Account Executive Gallagher Management Liability Division
More informationVMware vcloud Air HIPAA Matrix
goes to great lengths to ensure the security and availability of vcloud Air services. In this effort VMware has completed an independent third party examination of vcloud Air against applicable regulatory
More informationStatement of Policy. Reason for Policy
Table of Contents Statement of Policy 2 Reason for Policy 2 HIPAA Liaison 2 Individuals and Entities Affected by Policy 2 Who Should Know Policy 3 Exclusions 3 Website Address for Policy 3 Definitions
More informationHIPAA Security Compliance Reviews
HIPAA Security Compliance Reviews Elizabeth S. Holland, MPA Office of E-Health Standards and Services Centers for Medicare & Medicaid Services U.S. Department of Health and Human Services 1 2 What is HIPAA?
More informationIntro. Tod Ferran, CISSP, QSA. SecurityMetrics. 2 years PCI and HIPAA security consulting, performing entity compliance audits
HIPAA Security Rule & Live Hack Tod Ferran, CISSP, QSA Intro Tod Ferran, CISSP, QSA 25 years working with IT and physical security 2 years PCI and HIPAA security consulting, performing entity compliance
More informationPROTECTING YOUR VOICE SYSTEM IN THE CLOUD
PROTECTING YOUR VOICE SYSTEM IN THE CLOUD Every enterprise deserves to know what its vendors are doing to protect the data and systems entrusted to them. Leading IVR vendors in the cloud, like Angel, consider
More informationAltius IT Policy Collection Compliance and Standards Matrix
Governance IT Governance Policy Mergers and Acquisitions Policy Terms and Definitions Policy 164.308 12.4 12.5 EDM01 EDM02 EDM03 Information Security Privacy Policy Securing Information Systems Policy
More informationThe 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance
Date: 07/19/2011 The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance PCI and HIPAA Compliance Defined Understand
More informationCyber Security & Compliance:
Cyber Security & Compliance: Ali, MSEE, CISSP (ISSAP, ISSMP) ecfirst, chief executive Cyber Threats & Compliance IBM Cyber Security Report on the Threat Landscape 1,400 is the average # of attacks on a
More informationUnified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES
Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES HIPAA COMPLIANCE Achieving HIPAA Compliance with Security Professional Services The Health Insurance
More informationQ: How does a provider know if their Email system has encryption? Do big email services (gmail, yahoo, hotmail, etc.) have built-in encryption?
Q: How does a provider know if their Email system has encryption? Do big email services (gmail, yahoo, hotmail, etc.) have built-in encryption? A. Most e-mail systems do not include encryption. There are
More informationHOW TO REALLY IMPLEMENT HIPAA. Presented by: Melissa Skaggs Provider Resources Group
HOW TO REALLY IMPLEMENT HIPAA Presented by: Melissa Skaggs Provider Resources Group WHAT IS HIPAA The Health Insurance Portability and Accountability Act of 1996 (HIPAA; Pub.L. 104 191, 110 Stat. 1936,
More informationHIPAA Security Rule Changes and Impacts
HIPAA Security Rule Changes and Impacts Susan A. Miller, JD Tony Brooks, CISA, CRISC HIPAA in a HITECH WORLD American Health Lawyers Association March 22, 2013 Baltimore, MD Agenda I. Introduction II.
More informationMobile Medical Devices and BYOD: Latest Legal Threat for Providers
Presenting a live 90-minute webinar with interactive Q&A Mobile Medical Devices and BYOD: Latest Legal Threat for Providers Developing a Comprehensive Usage Strategy to Safeguard Health Information and
More informationHIPAA Enforcement. Emily Prehm, J.D. Office for Civil Rights U.S. Department of Health and Human Services. December 18, 2013
Office of the Secretary Office for Civil Rights () HIPAA Enforcement Emily Prehm, J.D. Office for Civil Rights U.S. Department of Health and Human Services December 18, 2013 Presentation Overview s investigative
More informationAppendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice
Appendix 4-2: Administrative, Physical, and Technical Safeguards Breach Notification Rule How Use this Assessment The following sample risk assessment provides you with a series of sample questions help
More informationHealthcare to Go: Securing Mobile Healthcare Data
Healthcare to Go: Securing Mobile Healthcare Data Lee Kim, Esq. SANS Mobile Device Security Summit 2013 May 30, 2013 Copyright 2013 Lee Kim 1 Why Information Security is Essential for Healthcare Safeguard
More informationHIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS
Department of Health and Human Services OFFICE OF INSPECTOR GENERAL HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS AT STATE MEDICAID AGENCIES Inquiries
More informationplantemoran.com What School Personnel Administrators Need to know
plantemoran.com Data Security and Privacy What School Personnel Administrators Need to know Tomorrow s Headline Let s hope not District posts confidential data online (Tech News, May 18, 2007) In one of
More informationAre You Ready for an OCR Audit? Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS. What would you do? Session Objectives
Are You Ready for an OCR Audit? Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS What would you do? Your organization received a certified letter sent from the Office for Civil Rights (OCR)
More informationUnderstanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions
Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions Table of Contents Understanding HIPAA Privacy and Security... 1 What
More informationINFORMATION SECURITY & HIPAA COMPLIANCE MPCA
INFORMATION SECURITY & HIPAA COMPLIANCE MPCA Annual Conference August 5, 201 Agenda 1 HIPAA 2 The New Healthcare Paradigm Internal Compliance 4 Conclusion 2 1 HIPAA 1 Earning Their Trust 4 HIPAA 5 Health
More information4/9/2015. One Year After the HIPAA Omnibus Rule: Lessons Learned in Breach Notification. Agenda
One Year After the HIPAA Omnibus Rule: Lessons Learned in Breach Notification Adam H. Greene, JD, MPH Partner Davis Wright Tremaine HCCA Compliance Institute April 22, 2015 Doug Pollack Chief Strategy
More informationDepartment of Health and Human Services OFFICE OF INSPECTOR GENERAL
Department of Health and Human Services OFFICE OF INSPECTOR GENERAL HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION SYSTEM GENERAL CONTROLS AT THREE CALIFORNIA MANAGED-CARE
More informationOCR Reports on the Enforcement. Learning Objectives 4/1/2013. HIPAA Compliance/Enforcement (As of December 31, 2012) HCCA Compliance Institute
OCR Reports on the Enforcement of the HIPAA Rules HCCA Compliance Institute April 22, 2013 David Holtzman Sr. Health IT & Privacy Specialist U.S. Department of Health and Human Services Office for Civil
More informationOCR Reports on the Enforcement. Learning Objectives
OCR Reports on the Enforcement of the HIPAA Rules HCCA Compliance Institute April 22, 2013 David Holtzman Sr. Health IT & Privacy Specialist U.S. Department of Health and Human Services Office for Civil
More information