Laying a Foundation for the Next 10 Years of Secure, Interoperable Exchange
|
|
- Sharlene Marshall
- 3 years ago
- Views:
From this document you will learn the answers to the following questions:
What model is driving data sharing?
What is being shared?
What is the goal of the DRAFT Shared Interoperability Roadmap?
Transcription
1 Laying a Foundation for the Next 10 Years of Secure, Interoperable Exchange Jeremy Maxwell, PhD IT Security Specialist, ONC June 24, 2015
2 Learning Objectives Explain the core elements of the Shared Nationwide Interoperability Roadmap Assess open challenges to be solved to achieve an interoperable health system Describe the ways in which ONC is working with the health care industry to ensure the foundation for health IT interoperability 2
3 Agenda Basics of the Shared Nationwide Interoperability Roadmap Privacy & security portions of the Roadmap 3
4 Interoperability The ability of a system to exchange electronic health information with and use electronic health information from other systems without special effort on the part of the user 4
5 Why Does Interoperability Matter? Individuals and providers need access to the right information at the right time in a manner they can use to make decisions that impact their health regardless of geographic or organizational boundaries Typical Medicare beneficiary receives care from 2 primary care providers and 5 specialists each year Only 10-20% of health outcomes are attributable to health care Information needs to flow inside and outside the care delivery system to support health 5
6 Why Now? Consumers increasingly expect and demand real-time access to their electronic health information Significant progress in digitizing the care experience Evolving delivery and payment models are not only driving appropriate data sharing, but depend on it Successes and promising practices exist and can be built on Technology is rapidly evolving Opportunities to improve care and advance science in a learning health system environment demand rapid action 6
7 Removing Roadblocks to Accessing Patient Data 7
8 DRAFT Shared Nationwide Interoperability Roadmap The Vision Nationwide ability to send, receive, find, use a common clinical data set Expand interoperable data, users, sophistication, scale Broad-scale learning health system 8
9 DRAFT Shared Nationwide Interoperability Roadmap The Vision Nationwide ability to send, receive, find, use a common clinical data set Expand interoperable data, users, sophistication, scale Broad-scale learning health system 9
10 Critical Near Term Actions by Building Block Privacy and security protections for health information Educate stakeholders on current federal laws & cybersecurity Work with states and organizations to align laws that provide additional protections, without undermining privacy 10
11 Critical Near Term Actions by Building Block Privacy and security protections for health information Educate stakeholders on current federal laws & cybersecurity Work with states and organizations to align laws that provide additional protections, without undermining privacy 11
12 Agenda Basics of the Shared Nationwide Interoperability Roadmap Privacy & security portions of the Roadmap 12
13 Privacy & Security Portions of the Roadmap Section E: Ubiquitous, secure network infrastructure Section F: Verifiable identity and authentication of all participants Section G: Consistent representation of permission to collect, share and use identifiable health information Section H: Consistent representation of authorization to access health information 13
14 Section E: Ubiquitous, Secure Network Infrastructure 14
15 Security Risk Management Back to Basics 15
16 Killing Security Myths We have firewall and VPN. We re safe We have encryption. We re safe We have. We re safe Security is a technical problem Security is a policy problem We ll secure it later Security controls cause performance problems Security controls are hard to use People are the greatest weakness 16
17 What Do All These Say? 17
18 18
19 Call to Action: Multi-Layered, Defense in Depth Security risk management program Usability, usability, usability Documented security controls Cross-organizational threat information sharing Incident response capabilities Operational & behavioral monitoring (particularly those credentials that have system-level access to APIs or databases that contain PHI) Develop & deploy health IT following DHS and NIST guidance for building security in Assess the security of applications and infrastructure via penetration testing & other means, to identify vulnerabilities before they are exploited Encrypt the contents of all network messages in transit Secure all data stored in databases by encrypting data at rest and securing the encryption keys 19
20 Section F: Verifiable Identity and Authentication of All Participants 20
21 Auth* Concepts IDENTITY PROOFING CREDENTIALS AUTHENTICATION AUTHORIZATION 21
22 Call to Action: Things to Solve Levels of Assurance Identity proofing vs. authentication Remote patient authentication Remote provider/it admin authentication Continued innovation for authentication technology Identifying and recovering from medical identity theft 22
23 Section G: Consistent Representation of Permission to Collect, Share and Use Identifiable Health Information 23
24 Current U.S. Privacy Rules Environment Laws, regulations, and policies for patient consent Laws, regulations, and policies for sensitive information Consent models (opt-in, opt-out, with restrictions, etc.) HIO/HIE Architecture EHR system interoperability Patient consent directive (paper/electronic) or HIPAA Permitted Uses and Disclosures (background rules) 24
25 Sample State Definitions of Mental Health Information (for Disclosure Purposes) D.C. Code Definitions District of Columbia Official Code Division I. Government of District Title 7. Human Health Care and Safety Subtitle C. Mental Health Chapter 12. Mental Health Information Subchapter I. Definitions; General provisions Mental health information means any written, recorded or oral information acquired by a mental health professional in attending a client in a professional capacity which: (A) Indicates the identity of a client; and (B) Relates to the diagnosis or treatment of a client s mental or emotional condition. N.C. Gen. Stat. 122C-3 Definitions General Statues of North Carolina Chapter 122C. Mental Health, Developmental Disabilities, and Substance Abuse Act of 1985 Article I. General Provisions Confidential information means any information, whether recorded or not, relating to an individual served by a facility that was received in connection with the performance of any function of the facility. Confidential information does not include statistical information from reports and records or information regarding treatment or services which is shared for training, treatment, habilitation, or monitoring purposes that does not identify clients either directly or by reference to publicly known or available information. 25
26 Current State Law Environment States philosophically aligned State privacy and consent laws are diverse in content Diversity in organizational policies within states See roadmap appendix A and B for ONC Consent Bibliography 26
27 Data Segmentation for Privacy (DS4P) How it Works Separating Policy from Technical Capability The DS4P standard enables interoperability and provides a capability to support existing privacy law, including federal, state, and local laws The standard uses document level tagging as the mechanism to convey confidentiality levels and obligations, but also specifies how to be more granular (e.g. sections or entries inside the document) Depends if the implementing (sending or receiving) system can support it 27
28 Policy Challenges Laws tell data-holders not to disclose; law rarely tells them what to say about that non-disclosure. For example: HIV Status: **Redacted** This is a likely indicator that the patient has a test result if the applicable law protects results of tests, not occurrences, this may indicate a positive result; or HIV Status: **No data available** This is may be misleading for a physician, who may then make a health decision for the patient without knowing important details that could lead to safety issues. HIV Status: [record is silent] This is ambiguous. The recipient does not know if there was a redaction, or no data is available. 28
29 Call to Action: Things to Solve How to Segment: There are multiple levels at which segmentation could occur, such as: Type of Data category of data - e.g. medications, diagnostic codes, etc. Clinical category of code of whatever type Disclosing provider Intended recipient Program type (e.g. Part 2 clinic) Structured vs Unstructured Data: Prevalence of free-text complicates identification of data that is subject to enhanced protection. 29
30 Call to Action: Things to Solve Granularity: Should data be segmented: At the whole document level? For parts of a document? According to clinical nature within the document? Standardized mapping of specially protected categories to codes would make segmentation more predictable: For individuals through standard understanding For providers through standard expectations For developers, with less confusion about what law requires Currently, not every receiving system can understand 42 CFR Part 2 segmented data, i.e., their system does not recognize that it is receiving data that is subject to heightened protections based on Part 2 law. 30
31 Section H: Consistent Representation of Authorization to Access Health Information 31
32 Defining Terms authorization - the scope or amount of information a person or system is allowed to access Authorization - a signed HIPAA document pursuant to which when HIPAA requires it, documenting that an individual authorizes the covered entity to release their PHI (can be paper or electronic) Local user authorization is out of scope for the Roadmap 32
33 Authorization Across Exchange Contexts 33
34 Call to Action: Things to Solve What needs to be documented to ensure that callers are authorized to access data: Patients Personal representatives Other providers Other health IT Building trust so that apps do not need prior approval by the API vendor (whitelisting) Trustmarks as a way to convey trust? 34
35 Summary 35
36 Summary Ensuring that privacy & security is not a roadblock but an enabler to appropriate data flows Address both policy & technical questions Collaboration and industry involvement needed 36
37 Additional Resources Security Risk Assessment Tool Guide to Privacy and Security of Electronic Health Information OCR s website 37
38 Thank You 38
39 Backup & Additional Reading 39
40 Examples of ONC s Efforts to Work With Industry Health IT certification program Governance efforts Standards efforts Advisory, S&I Framework, SITE Programs recent funding opportunities FACAs, listening sessions Education efforts 40
41 Tracking Progress and Measuring Success 41
42 National Strategy for Trusted Identities in Cyberspace (NSTIC) Calls for building an identity ecosystem where: 42
43 DS4P Standards: What can DS4P do? DS4P was tested on substance abuse information (for example, 42 CFR Part 2 data) where the category of special protection derives from the federally funded program where the care is supplied 42 CFR Part 2 (Part 2) is a federal law and does not change across state lines 42 CFR Part 2 protect adheres to care supplied in buildings covered by that regulation and the statute it derives from DS4P can therefore recognize that a provider applied special protections because of the physical source of the data; Therefore, segmentation can be based on the whole program, not specific clinical portions of it For example, in a Part 2 covered program a physician may track a patient s blood pressure. Although this data might not be specially protected otherwise, it is specially protected because the care is supplied in a Part 2 covered program. 43
44 DS4P Standards: What are DS4P Limits? What about segmentation necessary due to the clinical nature of the data (not a location)? There are 8 basic categories of special privacy protections due to clinical nature, not necessarily where care was provided HIV/AIDS; Drug/Alcohol Abuse (not Part 2), Mental Health/Behavioral Health; Reproductive Health of Women; Genetic Information (not GINA); STD; Teen Health Information; Domestic Violence health information. DS4P might be effective if there was harmonization between legal definitions of what is protected and medical codes (e.g. ICD10). Harmony is lacking: Example: in a PCP office, some collected information is specially protected, such as evidence that a Chlamydia test occurred, while other information is not. All care occurs in the same place. Even if a disclosing system segments data, the receiving system may not be able to recognize that segmentation (more later). 44
45 DS4P Standards: What does this tell us? Technical standards can help organizations implement policy, but first the policy must support the use of the technical standards. Currently, although state law is philosophically aligned, it is not harmonized, so nationwide mapping to code sets has not taken root. Lack of harmony may: Exaggerate privacy concerns because of confusion. Undermine potential business cases for interoperable information exchange. Foster skepticism about the ability of information exchange to deliver comprehensive data. 45
Big Data, Big Risk, Big Rewards. Hussein Syed
Big Data, Big Risk, Big Rewards Hussein Syed Discussion Topics Information Security in healthcare Cyber Security Big Data Security Security and Privacy concerns Security and Privacy Governance Big Data
More informationHealthcare Reform and Medical Data Security and Privacy
Healthcare Reform and Medical Data Security and Privacy Patricia MacTaggart The George Washington University Stephanie Fiore The George Washington University Report GW-CSPRI-2010-1 December 13, 2010 Abstract
More informationELECTRONIC HEALTH RECORDS. Nonfederal Efforts to Help Achieve Health Information Interoperability
United States Government Accountability Office Report to Congressional Requesters September 2015 ELECTRONIC HEALTH RECORDS Nonfederal Efforts to Help Achieve Health Information Interoperability GAO-15-817
More informationILHIE Authority Data Security and Privacy Committee. Briefing Summary: Policies # 1, 3 (Panel #1) -- Patient Choice, Opt-in/Opt-out
1. Patient Choice. Should patients be granted a choice with regard to the use of a health information exchange (HIE) by clinical treatment professionals and others for the exchange of a patient s health
More informationMobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.
Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information. Mobile Devices: Risks to Health Information Risks vary based on the mobile device and its use. Some risks include:
More informationManaging Privacy and Security Challenges of Patient EHR Portals
Managing Privacy and Security Challenges of Patient EHR Portals Jacki Monson, JD, CHC Adam H. Greene, JD, MPH DISCLAIMER: The views and opinions expressed in this presentation are those of the author and
More informationManaging the Privacy and Security of Patient Portals
Managing the Privacy and Security of Patient Portals Jacki Monson, JD, CHC Chief Privacy Officer Adam H. Greene, JD, MPH Partner Mayo s Experience with EHR portal Mayo Clinic s biggest site (Rochester)
More informationMobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.
Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information. Mobile Devices: Risks to to Health Mobile Information Devices: Risks to Health Information Risks vary based on the
More informationElectronic Communication In Your Practice. How To Use Email & Mobile Devices While Maintaining Compliance & Security
Electronic Communication In Your Practice How To Use Email & Mobile Devices While Maintaining Compliance & Security Agenda 1 HIPAA and Electronic Communication 2 3 4 Using Email In Your Practice Mobile
More informationPrivacy and Confidentiality of Behavioral Health Data in EHRs
Privacy and Confidentiality of Behavioral Health Data in EHRs Maureen Boyle, PhD Lead Public Health Advisor, Health Information Technology Center for Substance Abuse Treatment Substance Abuse and Mental
More informationInformation Security @ Blue Valley Schools FEBRUARY 2015
Information Security @ Blue Valley Schools FEBRUARY 2015 Student Data Privacy & Security Blue Valley is committed to providing an education beyond expectations to each of our students. To support that
More informationHIPAA Compliance and HIE
HIPAA Compliance and HIE Andrew Lombardo, Director Rio Grande Valley HIE 1413 Stuart Place Ste. B Harlingen, Texas Email: Andrew@rgvhie.org Phone: 956.622.5801 Fax: 866-650-8035 Agenda Insert diagram to
More informationINTRODUCTION. The HIPAA Privacy Rule and Electronic Health Information Exchange in a Networked Environment
INTRODUCTION This guidance is composed of a series of fact sheets that clarify how the HIPAA Privacy Rule applies to, and can be used to help structure the privacy policies behind, electronic health information
More informationIdentity: The Key to the Future of Healthcare
Identity: The Key to the Future of Healthcare Chief Medical Officer Anakam Identity Services July 14, 2011 Why is Health Information Technology Critical? Avoids medical errors. Up to 98,000 avoidable hospital
More informationFlorida HIE Gateway of Gateway Partners Readiness Questionnaire
Florida Health Information Exchange Patient Look-Up Service Gateway of Gateway Partners Questionnaire 6/24/2015 1 Table of Contents Introduction... 3 Florida Public Records Law... 4 General Information...
More informationWISHIN Pulse Statement on Privacy, Security and HIPAA Compliance
WISHIN Pulse Statement on Privacy, Security and HIPAA Compliance SEC-STM-072014 07/2014 Contents Patient Choice... 2 Security Protections... 2 Participation Agreement... 2 Controls... 3 Break the Glass...
More informationExecutive Order 13636: The Healthcare Sector and the Cybersecurity Framework. September 23, 2014
Executive Order 13636: The Healthcare Sector and the Cybersecurity Framework September 23, 2014 Executive Order: Improving Critical Infrastructure Cybersecurity It is the policy of the United States to
More informationConnecting Health and Care for the Nation: A Shared Nationwide Interoperability Roadmap version 1.0
Connecting Health and Care for the Nation: A Shared Nationwide Interoperability Roadmap version 1.0 Calls to Action and Commitments for People and Organizations That Provide Health IT Capabilities Stakeholders
More informationNCHICA HITECH Act Breach Notification Risk Assessment Tool. Prepared by the NCHICA Privacy, Security & Legal Officials Workgroup
NCHICA HITECH Act Breach Notification Risk Assessment Tool Prepared by the NCHICA Privacy, Security & Legal Officials Workgroup NORTH CAROLINA HEALTHCARE INFORMATION AND COMMUNICATIONS ALLIANCE, INC August
More informationPrivacy for Healthcare Data in the Cloud - Challenges and Best Practices
Privacy for Healthcare Data in the Cloud - Challenges and Best Practices Dr. Sarbari Gupta sarbari@electrosoft-inc.com 703-437-9451 ext 12 Cloud Standards Customer Council (CSCC) Cloud Privacy Summit Electrosoft
More informationUnderstanding Privacy Laws for Physical and Behavioral Health Information Sharing
Understanding Privacy Laws for Physical and Behavioral Health Information Sharing September 29, 2015 11:00am-12:30pm For audio, please listen through your speakers or call: (631) 992-3221 Access Code:
More informationData Analytics in Health Care
Data Analytics in Health Care ONUP 2016 April 4, 2016 Presented by: Dennis Giokas, CTO, Innovation Ecosystem Group A lot of data, but limited information 2 Data collection might be the single greatest
More informationPrivacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by:
HIPAA Privacy Officer Orientation Presented by: Cathy Montgomery, RN Privacy Officer Job Description Serve as leader Develop Policies and Procedures Train staff Monitor activities Manage Business Associates
More informationHealth Homes Implementation Series: NYeC Privacy and Security Toolkit. 16 February 2012
Health Homes Implementation Series: NYeC Privacy and Security Toolkit 16 February 2012 1 Agenda What are the New York ehealth Collaborative (NYeC) and the Regional Extension Center? What are Health Homes?
More informationHIPAA MYTHS: DON T ALWAYS BELIEVE WHAT YOU HEAR. Chris Apgar, CISSP
HIPAA MYTHS: DON T ALWAYS BELIEVE WHAT YOU HEAR Chris Apgar, CISSP 2015 OVERVIEW Missed Regulatory Requirements Common HIPAA Privacy Myths Common HIPAA Security Myths Other Related Myths Finding the Right
More informationNew Devices Mean New Risks: The Potential for Liability When Software is a Component of Medical Devices. September 25, 2013
New Devices Mean New Risks: The Potential for Liability When Software is a Component of Medical Devices September 25, 2013 The Hartford Insuring Innovation Joe Coray Dan Silverman Providing insurance solutions
More informationREFERENCE 5. White Paper Health Insurance Portability and Accountability Act: Security Standards; Implications for the Healthcare Industry
REFERENCE 5 White Paper Health Insurance Portability and Accountability Act: Security Standards; Implications for the Healthcare Industry Shannah Koss, Program Manager, IBM Government and Healthcare This
More informationTHE 411 ON CYBERSECURITY, INFORMATION SHARING AND PRIVACY
THE 411 ON CYBERSECURITY, INFORMATION SHARING AND PRIVACY DISCLAIMER Views expressed in this presentation are not necessarily those of our respective Departments Any answers to questions are our own opinions
More informationHealth Insurance Portability and Accountability Policy 1.8.4
Health Insurance Portability and Accountability Policy 1.8.4 Appendix C Uses and Disclosures of PHI Procedures This Appendix covers procedures related to Uses and Disclosures of PHI. Disclosures to Law
More informationThis McKesson response was submitted electronically to the Office of the National Coordinator for Health IT (ONC) on September 12, 2014.
McKesson Corporation One Post Street San Francisco, CA 94104 www.mckesson.com This McKesson response was submitted electronically to the Office of the National Coordinator for Health IT (ONC) on. Question
More informationPhysician Champions David C. Kibbe, MD, & Daniel Mongiardo, MD FAQ Responses
Physician Champions David C. Kibbe, MD, & Daniel Mongiardo, MD FAQ Responses DR. KIBBE S RESPONSES What is health information exchange? How can health information exchange help my practice? Can I comply
More informationImproving the Quality of Health and Care through Information and Technology
Improving the Quality of Health and Care through Information and Technology Thomas A. Mason, M.D., Chief Medical Officer Office of the National Coordinator for Health Information Technology (ONC) Acting
More informationCan Your Diocese Afford to Fail a HIPAA Audit?
Can Your Diocese Afford to Fail a HIPAA Audit? PETULA WORKMAN & PHIL BUSHNELL MAY 2016 2016 ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS Agenda Overview Privacy Security Breach Notification Miscellaneous
More informationRECOMMENDED CHARTER FOR THE IDENTITY ECOSYSTEM STEERING GROUP
RECOMMENDED CHARTER FOR THE IDENTITY ECOSYSTEM STEERING GROUP 1. Identity Ecosystem Steering Group Charter The National Strategy for Trusted Identities in Cyberspace (NSTIC or Strategy), signed by President
More informationFor ONC S&I DS4P. Dennis Giokas Chief Technology Officer Canada Health Infoway Inc. January 25, 2012
For ONC S&I DS4P Dennis Giokas Chief Technology Officer Canada Health Infoway Inc. January 25, 2012 1 Outline EHR Business Architecture EHR Solution Blueprint EHR Privacy and Security Summary & Conclusion
More informationPolicy Academy on Cross Boundary Corrections Information Exchange Washington, DC June 17, 2014
Privacy Issues for Justice and Health Exchanges: Separating Fact from Fiction Kate Tipping, JD Public Health Advisor, Health Information Technology Center for Substance Abuse Treatment Substance Abuse
More informationBSA GLOBAL CYBERSECURITY FRAMEWORK
2010 BSA GLOBAL CYBERSECURITY FRAMEWORK BSA GLOBAL CYBERSECURITY FRAMEWORK Over the last 20 years, consumers, businesses and governments 1 around the world have moved online to conduct business, and access
More informationPrivacy Issues and the Children s s Hospital EMR
Privacy Issues and the Children s s Hospital EMR This roundtable discussion is brought to you by the Children s s Hospital Affinity Group of the In-House Counsel (In- House) and Teaching Hospitals and
More informationWhen HHS Calls, Will Your Plan Be HIPAA Compliant?
When HHS Calls, Will Your Plan Be HIPAA Compliant? Petula Workman, J.D., CEBS Division Vice President Compliance Counsel Gallagher Benefit Services, Inc., Sugar Land, Texas The opinions expressed in this
More informationHIPAA Myths. WEDI Regional Affiliates. Chris Apgar, CISSP Apgar & Associates
HIPAA Myths WEDI Regional Affiliates Chris Apgar, CISSP Apgar & Associates Overview Missed Regulatory Requirements Common HIPAA Privacy Myths Common HIPAA Security Myths Other Related Myths Finding the
More informationCase Study. Developing a Universal Consent Form: Lessons Learned from Florida Medicaid
Case Study Developing a Universal Consent Form: Lessons Learned from Florida Medicaid Prepared for: Agency for Healthcare Research and Quality U.S. Department of Health and Human Services 540 Gaither Road
More informationHIPAA, Minnesota s Health Records Act, and Psychotherapy Notes
HIPAA, Minnesota s Health Records Act, and Psychotherapy Notes OCTOBER 2014 Minnesota Department of Health, Office of Health Information Technology www.health.state.mn.us/e-health MN.eHealth@state.mn.us
More informationPCPCC National Briefing/Webinar
PCPCC National Briefing/Webinar O V E R C O M I N G B A R R I E R S T O C O L L A B O R A T I O N A M O N G B E H A V I O R A L H E A L T H A N D P R I M A R Y C A R E P R O V I D E R S D A Y N A B O W
More informationDIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Human Resource (HR) and Security Awareness v1.0 September 25, 2013
DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Human Resource (HR) and Security Awareness v1.0 September 25, 2013 Revision History Update this table every time a new edition of the
More informationCYBER SECURITY: PERILS AND OPPORTUNITIES
Emerging Technology Forum CYBER SECURITY: PERILS AND OPPORTUNITIES Dr. Dennis Martinez CTO - Harris RF Communications Division June 25, 2013 Cyber Security Addresses Two Key Objectives Protect Information
More informationHIPAA 203: Security. An Introduction to the Draft HIPAA Security Regulations
HIPAA 203: Security An Introduction to the Draft HIPAA Security Regulations Presentation Agenda Security Introduction Security Component Requirements and Impacts Administrative Procedures Physical Safeguards
More informationThe Importance of Sharing Health Information in a Healthy World
January 30, 2015 Karen DeSalvo, MD, MPH, MSc National Coordinator Office of National Coordinator for Health IT Department of Health and Human Services 200 Independence Ave, SW Washington, DC 20201 Dear
More informationHIPAA Security. 1 Security 101 for Covered Entities. Security Topics
HIPAA SERIES Topics 1. 101 for Covered Entities 2. Standards - Administrative Safeguards 3. Standards - Physical Safeguards 4. Standards - Technical Safeguards 5. Standards - Organizational, Policies &
More informationPolicies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification
Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification Type of Policy and Procedure Comments Completed Privacy Policy to Maintain and Update Notice of Privacy Practices
More informationHow To Protect Yourself From A Hacker Attack
Cybersecurity Demystified: Information Technology Security Trends Joe Oleksak, Plante Moran Agenda Data Security Trends Example Attacks Industry Examples An Answer 1 Who Are The Victims? Targets - victims
More informationNational Cybersecurity Challenges and NIST. Donna F. Dodson Chief Cybersecurity Advisor ITL Associate Director for Cybersecurity
National Cybersecurity Challenges and NIST Donna F. Dodson Chief Cybersecurity Advisor ITL Associate Director for Cybersecurity Though no-one knows for sure, corporate America is believed to lose anything
More informationJOINT NOTICE OF PRIVACY PRACTICES Cumberland County Hospital System d/b/a Cape Fear Valley Health System
JOINT NOTICE OF PRIVACY PRACTICES Cumberland County Hospital System d/b/a Cape Fear Valley Health System EFFECTIVE: September 23, 2013 THIS JOINT NOTICE DESCRIBES HOW PROTECTED HEALTH INFORMATION ABOUT
More informationHIPAA Overview. Darren Skyles, Partner McGinnis Lochridge. Darren S. Skyles dskyles@mcginnislaw.com
HIPAA Overview Darren Skyles, Partner McGinnis Lochridge HIPAA Health Insurance Portability and Accountability Act of 1996 Electronic transaction and code sets: Adopted standards for electronic transactions
More informationNOTICE OF PRIVACY PRACTICES
THE PHYSICIAN PRACTICE, P.A. NOTICE OF PRIVACY PRACTICES THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW
More informationNetwork and Security Controls
Network and Security Controls State Of Arizona Office Of The Auditor General Phil Hanus IT Controls Webinar Series Part I Overview of IT Controls and Best Practices Part II Identifying Users and Limiting
More informationHIPAA Privacy Policies
HIPAA Privacy Policies Healthcare Insurance Portability and Accountability Act of 1996 (HIPAA) The HIPAA Privacy Rule created a national standard to protect patient s medical records and other personal
More informationGuidance on Risk Analysis Requirements under the HIPAA Security Rule
Guidance on Risk Analysis Requirements under the HIPAA Security Rule Introduction The Office for Civil Rights (OCR) is responsible for issuing annual guidance on the provisions in the HIPAA Security Rule.
More informationCyber Resilience Implementing the Right Strategy. Grant Brown Security specialist, CISSP @TheGrantBrown
Cyber Resilience Implementing the Right Strategy Grant Brown specialist, CISSP @TheGrantBrown 1 2 Network + Technology + Customers = $$ 3 Perfect Storm? 1) Increase in Bandwidth (extended reach) 2) Available
More informationIowa Health Information Network (IHIN) Security Incident Response Plan
Iowa Health Information Network (IHIN) Security Incident Response Plan I. Scope This plan identifies the responsible parties and action steps to be taken in response to Security Incidents. IHIN Security
More informationCyber Security Pr o t e c t i n g y o u r b a n k a g a i n s t d a t a b r e a c h e s
Cyber Security Pr o t e c t i n g y o u r b a n k a g a i n s t d a t a b r e a c h e s 1 Agenda Data Security Trends Root causes of Cyber Attacks How can we fix this? Secure Infrastructure Security Practices
More informationHIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT
HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT A Review List This paper was put together with Security in mind, ISO, and HIPAA, for guidance as you move into a cloud deployment Dr.
More informationHIPAA Compliance Evaluation Report
Jun29,2016 HIPAA Compliance Evaluation Report Custom HIPAA Risk Evaluation provided for: OF Date of Report 10/13/2014 Findings Each section of the pie chart represents the HIPAA compliance risk determinations
More informationHIPAA Privacy Rule CLIN-203: Special Privacy Considerations
POLICY HIPAA Privacy Rule CLIN-203: Special Privacy Considerations I. Policy A. Additional Privacy Protection for Particularly Sensitive Health Information USC 1 recognizes that federal and California
More informationChristy Navarro, M.S., CIPP/US. Using a case study example:
Christy Navarro, M.S., CIPP/US Using a case study example: Understand key privacy and data security components to be integrated into any health information exchange initiatives Learn important privacy
More informationHIPAA Awareness Training
New York State Office of Mental Health Bureau of Education and Workforce Development HIPAA Awareness Training This training material was prepared for internal use by the New York State Office of Mental
More informationDefense-in-Depth Strategies for Secure, Open Remote Access to Control System Networks
Defense-in-Depth Strategies for Secure, Open Remote Access to Control System Networks A look at multi-vendor access strategies Joel Langill TÜV FSEng ID-1772/09, CEH, CPT, CCNA Security Consultant / Staff
More information2016 OCR AUDIT E-BOOK
!! 2016 OCR AUDIT E-BOOK About BlueOrange Compliance: We specialize in healthcare information privacy and security solutions. We understand that each organization is busy running its business and that
More informationFour Top Emagined Security Services
Four Top Emagined Security Services. www.emagined.com Emagined Security offers a variety of Security Services designed to support growing security needs. This brochure highlights four key Emagined Security
More informationHealth Insurance Portability and Accountability Act HIPAA. Glossary of Common Terms
Health Insurance Portability and Accountability Act HIPAA Glossary of Common Terms Terms: HIPAA Definition*: PHCS Definition/Interpretation: Administrative Simplification HIPAA Subtitle F It is the purpose
More informationMedicaid Enterprise Systems Conference 2012
Medicaid Enterprise Systems Conference 2012 Best Practices for Using HIT and HIEs to Keep PHI Secure in an Increasingly Mobile and Technical World Presenters: Charles Sutton, Senior Executive Health Product
More informationHIPAA for HIT and EHRs. Latest on Meaningful Use and EHR Certification: For Privacy and Security Professionals
HIPAA for HIT and EHRs Latest on Meaningful Use and EHR Certification: For Privacy and Security Professionals Donald Bechtel, CHP Siemens Health Services Patient Privacy Officer Fair Information Practices
More informationGetting Hip to the HIPAA and HITECH Act Compliance
Getting Hip to the HIPAA and HITECH Act Compliance NaNotchka M. Chumley, D.O., M.P.H. Family Medicine Physician Los Angeles, CA Integrating Global Trade & Logistic and Cybersecurity Westin St. Francis,
More informationRE: Comments on Discussion Draft Ensuring Interoperability of Qualified Electronic Health Records.
April 8, 2015 The Honorable Michael Burgess, MD 2336 Rayburn House Office Building Washington, DC 20515 RE: Comments on Discussion Draft Ensuring Interoperability of Qualified Electronic Health Records.
More informationMobile Medical Devices and BYOD: Latest Legal Threat for Providers
Presenting a live 90-minute webinar with interactive Q&A Mobile Medical Devices and BYOD: Latest Legal Threat for Providers Developing a Comprehensive Usage Strategy to Safeguard Health Information and
More informationVirginia Government Finance Officers Association Spring Conference May 28, 2014. Cloud Security 101
Virginia Government Finance Officers Association Spring Conference May 28, 2014 Cloud Security 101 Presenters: John Montoro, RealTime Accounting Solutions Ted Brown, Network Alliance Presenters John Montoro
More informationMay 7, 2012. Re: RIN 0991-AB82. Dear Secretary Sebelius:
May 7, 2012 Department of Health and Human Services Office of the National Coordinator for Health Information Technology Attention: 2014 Edition EHR Standards and Certification Proposed Rule Hubert H.
More informationHIPAA Audits Are Here!
HIPAA Audits Are Here! How to prepare for and what to expect when OCR comes knocking May 12, 2016 James B. Wieland, Principal, Ober Kaler Emily H. Wein, Principal, Ober Kaler David Holtzman, VP of Compliance,
More informationEnforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance
Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance Iliana Peters, JD, LLM, HHS Office for Civil Rights Kevin
More informationBusiness Associates, HITECH & the Omnibus HIPAA Final Rule
Business Associates, HITECH & the Omnibus HIPAA Final Rule HIPAA Omnibus Final Rule Changes Business Associates Marissa Gordon-Nguyen, JD, MPH Health Information Privacy Specialist Office for Civil Rights/HHS
More informationWhat s New with HIPAA? Policy and Enforcement Update
What s New with HIPAA? Policy and Enforcement Update HHS Office for Civil Rights New Initiatives Precision Medicine Initiative (PMI), including Access Guidance Cybersecurity Developer portal NICS Final
More informationData Breach Response Planning: Laying the Right Foundation
Data Breach Response Planning: Laying the Right Foundation September 16, 2015 Presented by Paige M. Boshell and Amy S. Leopard babc.com ALABAMA I DISTRICT OF COLUMBIA I FLORIDA I MISSISSIPPI I NORTH CAROLINA
More informationWireless Infusion Pumps: Securing Hospitals Most Ubiquitous Medical Device
Wireless Infusion Pumps: Securing Hospitals Most Ubiquitous Medical Device The Healthcare Sector at the NCCoE MARCH, 3 2016 THE NATIONAL CYBERSECURITY LAB HELPS SECURE HIT 1. About Us: The National Cybersecurity
More informationTELEMEDICINE UPDATE:WHAT S NEW IN 2014? Vanessa A. Reynolds, P.A. vreynolds@broadandcassel.com
TELEMEDICINE UPDATE:WHAT S NEW IN 2014? Vanessa A. Reynolds, P.A. vreynolds@broadandcassel.com What is telemedicine? Telemedicine has been defined as broadly as the use of medical information exchanged
More informationTELEHEALTH APPLICATION INITIAL APPROVAL
DEPARTMENT OF HEALTH SERVICES Division of Quality Assurance STATE OF WISCONSIN Page 1 of 7 TELEHEALTH APPLICATION INITIAL APPROVAL By completing and submitting this application, the program/service affirms
More informationHEALTH INSURANCE MARKETPLACES GENERALLY PROTECTED PERSONALLY IDENTIFIABLE INFORMATION BUT COULD IMPROVE CERTAIN INFORMATION SECURITY CONTROLS
Department of Health and Human Services OFFICE OF INSPECTOR GENERAL HEALTH INSURANCE MARKETPLACES GENERALLY PROTECTED PERSONALLY IDENTIFIABLE INFORMATION BUT COULD IMPROVE CERTAIN INFORMATION SECURITY
More informationPurpose. Service Model SaaS (Applications) PaaS (APIs) IaaS (Virtualization) Use Case 1: Public Use Case 2: Use Case 3: Public.
Federal CIO Council Information Security and Identity Management Committee (ISIMC) Guidelines for the Secure Use of Cloud Computing by Federal Departments and Agencies DRAFT V0.41 Earl Crane, CISSP, CISM
More informationIntelligent Security Design, Development and Acquisition
PAGE 1 Intelligent Security Design, Development and Acquisition Presented by Kashif Dhatwani Security Practice Director BIAS Corporation Agenda PAGE 2 Introduction Security Challenges Securing the New
More informationMaintaining the Privacy of Health Information in Michigan s Electronic Health Information Exchange Network. Draft Privacy Whitepaper
CHARTERED BY THE MICHIGAN HEALTH INFORMATION NETWORK SHARED SERVICES MIHIN OPERATIONS ADVISORY COMMITTEE (MOAC) PRIVACY WORKING GROUP (PWG) Maintaining the Privacy of Health Information in Michigan s Electronic
More informationHIPAA Requirements and Mobile Apps
HIPAA Requirements and Mobile Apps OCR/NIST 2013 Annual Conference Adam H. Greene, JD, MPH Partner, Washington, DC Use of Smartphones and Tablets Is Growing 2 How Info Sec Sees Smartphones Easily Lost,
More informationPrivacy & Security Requirements: from EHRs to PHRs
Privacy & Security Requirements: from EHRs to PHRs Oct 28, 2010 Presented by André Carrington, P.Eng, CISSP, CISM, CISA, CIPP/C Director, Implementation, Privacy & Security, SPS Purpose As suggested by
More informationIncreasing Security Defenses in Cost-Sensitive Healthcare IT Environments
Increasing Security Defenses in Cost-Sensitive Healthcare IT Environments Regulatory and Risk Background When the Health Insurance Portability and Accountability Act Security Standard (HIPAA) was finalized
More informationTechnical Assistance Document 5
Technical Assistance Document 5 Information Sharing with Family Members of Adult Behavioral Health Recipients Developed by the Arizona Department of Health Services Division of Behavioral Health Services
More informationWe are required to provide this Notice to you by the Health Insurance Portability and Accountability Act ("HIPAA")
PRIVACY NOTICE We are required to provide this Notice to you by the Health Insurance Portability and Accountability Act ("HIPAA") THIS NOTICE DESCRIBES HOW PERSONAL AND MEDICAL INFORMATION ABOUT YOU MAY
More informationCybersecurity Health Check At A Glance
This cybersecurity health check provides a quick view of compliance gaps and is not intended to replace a professional HIPAA Security Risk Analysis. Failing to have more than five security measures not
More informationFDA Releases Final Cybersecurity Guidance for Medical Devices
FDA Releases Final Cybersecurity Guidance for Medical Devices By Jean Marie R. Pechette and Ken Briggs Overview and General Principles On October 2, 2014, the Food and Drug Administration ( FDA ) finalized
More informationRe: 21st Century Cures Discussion Draft Legislation Interoperability Section
May 7, 2015 The Honorable Fred Upton Chairman, House Energy and Commerce Committee United States House of Representatives Washington, DC 20515 The Honorable Diana DeGette Member, House Energy and Commerce
More informationChild Selection. Overview. Process steps. Objective: A tool for selection of children in World Vision child sponsorship
Sponsorship in Programming tool Child Selection Objective: A tool for selection of children in World Vision child sponsorship We ve learned some things about selecting children. It is not a separate sponsorship
More informationInformation Security Services
Information Security Services Information Security In 2013, Symantec reported a 62% increase in data breaches over 2012. These data breaches had tremendous impacts on many companies, resulting in intellectual
More informationHow To Write A Community Based Care Coordination Program Agreement
Section 4.3 Implement Business Associate and Other Agreements This tool identifies the types of agreements that may be necessary for a community-based care coordination (CCC) program to have in place in
More informationAppendix B: Existing Guidance to Support HIE Implementation Opportunities
Appendix B: Existing Guidance to Support HIE Implementation Opportunities APPENDIX B: EXISTING GUIDANCE TO SUPPORT HIE IMPLEMENTATION OPPORTUNITIES There is an important opportunity for the states and
More information