HIPAA Breaches, Security Risk Analysis, and Audits
|
|
- Edward Powers
- 8 years ago
- Views:
Transcription
1 HIPAA Breaches, Security Risk Analysis, and Audits Derrick Hill Senior Health IT Advisor Kentucky REC
2 What cons?tutes PHI? HIPAA provides a list of 18 iden?fiers that cons?tute PHI. Any one of these iden?fiers in a dataset that could reasonably be used to iden?fy an individual is considered PHI. You must=
3 What is a Breach? Final rule defines breach to mean, generally, the unauthorized acquisi?on, access, use, or disclosure of protected health informa?on which compromises the security or privacy of such informa?on. Acquisi?on, Access, Use, or Disclosure of protected health informa?on (PHI) in a manner not permived under Subpart E of the Privacy Rule which compromises the security or privacy of the PHI
4 New - Breach Risk Assessment An acquisi?on, access, use, or disclosure of PHI is presumed to be a breach unless the CE or BA, as applicable, demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment of at least four factors
5 Breach Risk Assessment Factors 1. The nature and extent of the PHI involved 2. The unauthorized person who used the PHI or whom it was disclosed to 3. Whether the PHI was actually acquired or viewed 4. The extent to which the PHI has been mi?gated
6 Breach Risk Assessment Factors 1. The nature and extent of the PHI involved 2. The unauthorized person who used the PHI or whom it was disclosed to 3. Whether the PHI was actually acquired or viewed 4. The extent to which the PHI has been mi?gated Entities should consider the type of PHI involved in the impermissible use or disclosure Is the information of more serious nature? Financial Data SSN, Credit Card number Clinical Data Consider the nature of the information and details it includes treatment plan, diagnosis, medical history information
7 Breach Risk Assessment Factors 1. The nature and extent of the PHI involved 2. The unauthorized person who used the PHI or whom it was disclosed to 3. Whether the PHI was actually acquired or viewed 4. The extent to which the PHI has been mi?gated Consider whether the unauthorized person who received the informa?on has obliga?ons to protect the privacy and security of the informa?on If in- house or within your BA, is it likely to be re- disclosed or impermissibly used If disclosed to an outside CE or BA who is bound by HIPAA
8 Breach Risk Assessment Factors 1. The nature and extent of the PHI involved 2. The unauthorized person who used the PHI or whom it was disclosed to 3. Whether the PHI was actually acquired or viewed 4. The extent to which the PHI has been mi?gated For example: If a laptop was stolen and later recovered and a forensic analysis shows that the PHI on the computer was never compromised, then probability of low risk In contrast, if envelopes were improperly labeled and PHI was mailed out to the wrong recipients then we can assume that the likelihood of it being viewed as high
9 Breach Risk Assessment Factors 1. The nature and extent of the PHI involved 2. The unauthorized person who used the PHI or whom it was disclosed to 3. Whether the PHI was actually acquired or viewed 4. The extent to which the PHI has been miegated CEs and BAs should avempt to mi?gate the risks to the PHI following any impermissible use or disclosure CEs and BAs should consider the extent and efficacy of the mi?ga?on when determining the probability that the PHI has been compromised. Also acknowledge that the recipient of the informa?on will have an impact on whether the CE can conclude that an impermissible use or disclosure has been appropriately mi?gated.
10 Exclusions to Breach Uninten?onal- Applies to workforce members and BAs ac?ng under CE Made in good faith and under the scope of authority No further disclosures made Inadvertent- Authorized individuals at CE or BA to another Person or en?ty covered by the BA No further disclosures made Good Faith Belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such informa?on.
11 Dermatology Office Employee leaves usb flash drive in their car Thec breaks into vehicle and takes the flash drive It was never recovered.
12 Dermatology Office OCR inves?gated to find Prac?ce had not done a thorough security risk analysis ~2,200 individual records on the flash drive No policies and procedures surrounding breach no?fica?on Along with a correc?ve ac?on plan this prac?ce sevled with OCR on a $150,000 CMP Office for Civil Rights
13 ENT and Eye Prac?ce Personal laptop was stolen Contained pa?ent records along with research pa?ents 3,594 individual records in all
14 ENT and Eye Prac?ce OCR inves?gated to find Prac?ce had not done a thorough security risk analysis No policies and procedures surrounding safeguards for portable devices Along with a correc?ve ac?on plan this prac?ce sevled with OCR on a $1,500,000 CMP Included in this correc?ve ac?on plan is a 3 years of semi- annual repor?ng to HHS Office for Civil Rights
15 Managed Care Organiza?on Uses an technology company to lease business equipment Return a leased copy machine CBS Evening News was doing a report on data lec on copiers and finds theirs
16 Managed Care Organiza?on OCR inves?gated to find Prac?ce had not done a thorough security risk analysis No policies and procedures surrounding leased equipment Individual at 344,579 Along with a correc?ve ac?on plan this MCO sevled with OCR on a $1,215,780 CMP Office for Civil Rights
17 Breach Breakdown Other 13% Hacking 6% 45% Theft 22% Unauthorized Disclosure 10% Loss 4% Improper Disposal
18 Breach Breakdown Other 13% Hacking 6% How do you avoid this list? 45% Theft 22% Unauthorized Disclosure 10% Loss 4% Improper Disposal
19 Security Risk Analysis
20 Meaningful Use Objec?ve Conduct or review a security risk analysis in accordance with the requirements under 45 CFR (a)(1), including addressing the encryp1on/security of data at rest and implement security updates as necessary and correct idendfied security deficiencies as part of risk management process
21 What is a Risk Analysis? Systema?c and ongoing process of: Iden?fying and examining poten?al threats and vulnerability to PHI Implemen?ng changes to make PHI more secure, then monitoring results Process should provide detailed understanding of risk to: confidendality, integrity, and availability of ephi
22 Why Conduct a Risk Analysis? Required component of Meaningful Use & HIPAA Iden?fy non- compliance of HIPAA and other rules and regula?ons Iden?fy threats and vulnerabili?es Iden?fy weaknesses that could result in unauthorized disclosures or breaches Improve processes when handling PHI
23 Step 1: System Characteriza?on Risk Analysis Steps Step 2: Threat Iden?fica?on Step 3: Vulnerability Iden?fica?on Step 4: Control Analysis Step 5: Likelihood Determina?on Step 6: Impact Analysis Step 7: Risk Determina?on Step 8: Control Recommenda?ons Step 9: Results Documenta?on
24 Step 1: System Characteriza?on Iden?fies which informa?on assets need protec?on based on cri?cality to the business and/or because ephi is processed, transmived, or stored on the system
25 Step 2: Threat Iden?fica?on Threat = Any poten?al event that can adversely impact organiza?onal opera?ons and assets involving protected health informa?on Maintain, Transmit, Process, Access Consider realis?c, probable human, environmental, and natural incidents that can have a nega?ve impact on an organiza?ons ability to protect ephi
26 Step 3: Vulnerability Iden?fica?on Vulnerability = Flaws or weaknesses in an informa?on system, system security procedures, internal controls, or implementa?on that could be exploited by a threat source. Develop a list of vulnerabili?es Focus on areas where ephi can be disclosed without proper authoriza?on, improperly modified, or made unavailable when needed.
27 Step 4: Control Analysis Determine if the implemented or planned security controls will minimize or eliminate risks to ephi
28 Step 5: Likelihood Determina?on Evaluate the likelihood/probability of a threat occurring that can cause or trigger an adverse event
29 Step 6: Impact Analysis Evaluate the impact/effect that an adverse event would have on an organiza?on if a vulnerability were exploited
30 Step 7: Risk Determina?on Risk = The poten?al impact that a given threat will exploit the vulnerabili?es of assets (such as an informa?on system) and thereby cause harm to an organiza?on. Assess level of risk to the organiza?on Risk is based off of values assigned to the likelihood and impact of a threat occurrence
31 Step 8: Control Recommenda?ons For iden?fied vulnerabili?es, evaluate what needs to be done to reduce the level of risk to the IT system and its data to an acceptable level
32 Step 9: Results Documenta?on Results Documenta?on is cri?cal in proving that the risk analysis was performed. The HIPAA Security Rule does not specify the type of documenta?on required. HIPAA requires documenta?on of the risk analysis to be retained for six years.
33 OCR HIPAA Audits
34 OCR Audits In addi?on to Meaningful Use Audits, you may also be audited by the Office of Civil Rights (OCR) for HIPAA compliance HITECH Act requires HHS to conduct periodic audits to ensure covered en??es and business associates are mee?ng HIPAA compliance requirements Office for Civil Rights
35 OCR Audits Pilot audit program completed Dec ini?al audits Audits concentrate on adherence to three rules: HIPAA Privacy Rule Security Rule Breach No?fica?on Rule Office for Civil Rights
36 Why Care About OCR Audit? Federal mandate Federal penal?es (up to $1.5 million) State fines Reputa?on risk Business risk Legal costs No?fica?on costs Increased number of breaches/avacks Loss of contracts Criminal and civil inves?ga?on
37 OCR Audit Protocol 169 total audit procedures 81 privacy audit procedures 78 security audit procedures 10 breach no?fica?on procedures
38 Auditee Selec?on Criteria Covered en??es of all sizes and types: Healthcare Providers Healthcare Plans Healthcare Clearinghouses Business Associates (subject to audits as of 2013) Random selec?on based on mul?ple factors: Public vs. Private Size (level of revenues/assets, # of pa?ents/employees, use of HIT) Affilia?on with other healthcare organiza?ons Geography Type of en?ty and rela?onship to pa?ent care
39 Types of En??es Level 1 Large provider/payer Use of HIT: extensive Revenues and/or assets greater than $1 billion Level 2 Level 3 Level 4 Large regional hospital systems Paper and HIT enabled work flows Revenues/assets between $300 and $1 billion Community hospitals, outpa?ent surgery, regional pharmacy Use of HIT: mostly paper- based Revenues between $50 and $300 million Small providers: provider prac?ces, community/rural pharmacy Use of HIT: livle or none Revenues < $50 million
40 Pilot Program: En?ty Size & Type Level 1 Level 2 Level 3 Level 4 Total Health Plans Healthcare Providers Healthcare Clearinghouses Total
41 Pilot Program: Findings HIPAA Rule Most Cited in Findings
42 Pilot Program: Findings Types of Privacy Rule Findings
43 Pilot Program: Findings Types of Security Rule Findings
44 Pilot Program: Findings Breach No?fica?on: 500+ Breaches by Type
45 Civil Monetary Penal?es (CMPs) ViolaEon Category Each ViolaEon All IdenEcal ViolaEons per Calendar Year Did Not Know $100- $50,000 $1,500,000 Reasonable Cause $1,000- $50,000 $1,500,000 Willful Neglect- Corrected $10,000- $50,000 $1,500,000 Willful Neglect- Not Corrected $50,000 $1,500,000
46 HIPAA Compliance/Enforcement *As of May 7, 2014 Total Complaints Filed (since 2003): 95,588 Total Cases Inves?gated: 32,611 Total Cases with Correc?ve Ac?on: 22,497 Total is now over $25.1 Million in Resolu?on Agreements & CMPs since 2008
47 What Now?? In 2013, OIG cri?cized OCR s enforcement of the HIPAA Security Rule as mandated by HITECH Business Associates will be subject to audits New audit protocol is in development OCR received permission to use collected CMPs to increase enforcement efforts
48 2015 Audits Common Audit Mistakes Failure to keep up with regulatory requirements No documented security program A reac?ve approach to audit Assump?ons regarding business associates agreements A checkbox approach to compliance
49 Are You Prepared? Leon Rodriguez, OCR Director Expects complaints to increase 90% in 2014 New Compliant Portal When asked about common mistakes by CEs: failure to perform a comprehensive, thorough risk analysis and then to apply the results of that analysis (OCR) will leverage more civil penal?es in 2014
50 Kentucky REC Can Help! Kentucky REC offers the following services performed by AHIMA Cer?fied HIPAA Privacy & Security professionals: Security Risk Analysis addressing HITECH requirements for Meaningful Use Review of Administra?ve, Technical & Physical safeguards Remedia?on plan and?meline to eliminate or mi?gate iden?fied gaps HIPAA compliant sample policies Breach No?fica?on
Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits
HIPAA Breaches, Security Risk Analysis, and Audits Derrick Hill Senior Health IT Advisor Kentucky REC Why Does Privacy and Security Matter? Trust Who Must Comply with HIPAA Rules? Covered Entities (CE)
More informationBuild a HIPAA- Compliant Prac5ce. Wes Strickling, Founder & CEO
Build a HIPAA- Compliant Prac5ce Wes Strickling, Founder & CEO Agenda What is HIPAA Compliance? What does it mean to your prac5ce? What should you do? Q & A What Is HIPAA Compliance? Health Insurance Portability
More informationTop Practices in Health IT Compliance. Data Breach & Leading Program Prac3ces
Top Practices in Health IT Compliance Data Breach & Leading Program Prac3ces Overview Introduc3on to ID Experts & Secure Digital Solu3ons Healthcare Data Breach Trends & Drivers Data Incident Management
More informationOCR Reports on the Enforcement. Learning Objectives 4/1/2013. HIPAA Compliance/Enforcement (As of December 31, 2012) HCCA Compliance Institute
OCR Reports on the Enforcement of the HIPAA Rules HCCA Compliance Institute April 22, 2013 David Holtzman Sr. Health IT & Privacy Specialist U.S. Department of Health and Human Services Office for Civil
More informationOCR Reports on the Enforcement. Learning Objectives
OCR Reports on the Enforcement of the HIPAA Rules HCCA Compliance Institute April 22, 2013 David Holtzman Sr. Health IT & Privacy Specialist U.S. Department of Health and Human Services Office for Civil
More informationIndustry leading Education
Industry leading Education Please ask questions #CGwebinar Todays slides are available http://compliancy- group.com/slides023/ Past webinars and recordings http://compliancy- group.com/webinar/ 855.85HIPAA
More informationPrivacy & Security The HHS Rule is Out What s New and What s Next. Mary Jo Carden, RPh, JD Director, Regulatory Affairs AMCP mcarden@amcp.
Privacy & Security The HHS Rule is Out What s New and What s Next Mary Jo Carden, RPh, JD Director, Regulatory Affairs AMCP mcarden@amcp.org Disclosure Mary Jo Carden is an employee of the Academy of Managed
More informationHealth Informa.on Technology Audits: "Meaningful Use" and HIPAA. January 23, 2015 Eli Poliakoff Gary Capps
Health Informa.on Technology Audits: "Meaningful Use" and HIPAA January 23, 2015 Eli Poliakoff Gary Capps 1 HITECH - Related Audits Health Informa.on Technology for Economic and Clinical Health Act ("HITECH")
More informationWhat do you need to know?
What do you need to know? DISCLAIMER Please note that the information provided is to inform our clients and friends of recent HIPAA and HITECH act developments. It is not intended, nor should it be used,
More informationWhy Lawyers? Why Now?
TODAY S PRESENTERS Why Lawyers? Why Now? New HIPAA regulations go into effect September 23, 2013 Expands HIPAA safeguarding and breach liabilities for business associates (BAs) Lawyer is considered a business
More informationWhat s New with HIPAA? Policy and Enforcement Update
What s New with HIPAA? Policy and Enforcement Update HHS Office for Civil Rights New Initiatives Precision Medicine Initiative (PMI), including Access Guidance Cybersecurity Developer portal NICS Final
More informationHIPAA Update Focus on Breach Prevention
HIPAA Update Focus on Breach Prevention Objectives By the end of this program, participants should be able to: Identify top reasons why breaches occur Review the breach definition and notification process
More informationAre You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style.
Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style March 27, 2013 www.mcguirewoods.com Introductions Holly Carnell McGuireWoods LLP
More information12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule
HIPAA More Important Than You Realize J. Ira Bedenbaugh Consulting Shareholder February 20, 2015 This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record
More informationCommunity First Health Plans Breach Notification for Unsecured PHI
Community First Health Plans Breach Notification for Unsecured PHI The presentation is for informational purposes only. It is the responsibility of the Business Associate to ensure awareness and compliance
More informationOverview of the HIPAA Security Rule
Office of the Secretary Office for Civil Rights () Overview of the HIPAA Security Rule Office for Civil Rights Region IX Alicia Cornish, EOS Sheila Fischer, Supervisory EOS Topics Upon completion of this
More informationCovered En**es Should Periodically Audit Third Party Vendors/Business Associates Why, What, & How?
Covered En**es Should Periodically Audit Third Party Vendors/Business Associates Why, What, & How? March 27 th 12 pm EDT Moderator: Gerry Blass Panelists: Mac McMillan, Francois Bodhuin, Lou Dignam Webinar
More informationNetwork Security and Data Privacy Insurance for Physician Groups
Network Security and Data Privacy Insurance for Physician Groups February 2014 Lockton Companies While exposure to medical malpractice remains a principal risk MIKE EGAN, CPCU Senior Vice President Unit
More informationHIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing
HIPAA Omnibus Rule Practice Impact Kristen Heffernan MicroMD Director of Prod Mgt and Marketing 1 HIPAA Omnibus Rule Agenda History of the Rule HIPAA Stats Rule Overview Use of Personal Health Information
More informationPresented by Jack Kolk President ACR 2 Solutions, Inc.
HIPAA 102 : What you don t know about the new changes in the law can hurt you! Presented by Jack Kolk President ACR 2 Solutions, Inc. Todays Agenda: 1) Jack Kolk, CEO of ACR 2 Solutions a information security
More informationDisclaimer 8/8/2014. Current Developments in Privacy and Security Rule Enforcement
Office of the Secretary Office for Civil Rights () Current Developments in Privacy and Security Rule Enforcement Michigan Medical Billers Association Andrew C. Kruley, J.D. Equal Opportunity Specialist
More information2012 HIPAA Privacy and Security Audits
Office of the Secretary Office for Civil Rights (OCR) 2012 HIPAA Privacy and Security Audits Linda Sanches OCR Senior Advisor, Health Information Privacy Lead, HIPAA Compliance Audits OCR 1 Agenda Background
More informationHIPAA Privacy Policy (Revised Feb. 4, 2015)
Valley Bone & Joint Clinic HIPAA Privacy Policy (Revised Feb. 4, 2015) 1. PURPOSE Valley Bone & Joint Clinic is commi2ed to protec6ng the rights of our pa6ents. In compliance with the Health Insurance
More informationHIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist
HIPAA Omnibus Rule Overview Presented by: Crystal Stanton MicroMD Marketing Communication Specialist 1 HIPAA Omnibus Rule - Agenda History of the Omnibus Rule What is the HIPAA Omnibus Rule and its various
More informationHIPAA Update. Presented by: Melissa M. Zambri. June 25, 2014
HIPAA Update Presented by: Melissa M. Zambri June 25, 2014 Timeline of New Rules 2/17/09 - Stimulus Package Enacted 8/24/09 - Interim Final Rule on Breach Notification 10/7/09 - Proposed Rule Regarding
More informationHIPAA Enforcement. Emily Prehm, J.D. Office for Civil Rights U.S. Department of Health and Human Services. December 18, 2013
Office of the Secretary Office for Civil Rights () HIPAA Enforcement Emily Prehm, J.D. Office for Civil Rights U.S. Department of Health and Human Services December 18, 2013 Presentation Overview s investigative
More informationSecurity Is Everyone s Concern:
Security Is Everyone s Concern: What a Practice Needs to Know About ephi Security Mert Gambito Hawaii HIE Compliance and Privacy Officer July 26, 2014 E Komo Mai! This session s presenter is Mert Gambito
More informationLessons Learned from Recent HIPAA Enforcement Actions, Breaches, and Audit. Iliana L. Peters, J.D., LL.M. April 23, 2014
Lessons Learned from Recent HIPAA Enforcement Actions, Breaches, and Audit Iliana L. Peters, J.D., LL.M. April 23, 2014 OCR RULEMAKING UPDATE What s Done? What s to Come? What s Done: Interim Final Rules
More informationImplementation Business Associates and Breach Notification
Implementation Business Associates and Breach Notification Tony Brooks, CISA, CRISC, Tony.Brooks@horne-llp.com Clay J. Countryman, Esq., Clay.Countryman@bswllp.com Stephen M. Angelette, Esq., Stephen.Angelette@bswllp.com
More informationOCR UPDATE Breach Notification Rule & Business Associates (BA)
OCR UPDATE Breach Notification Rule & Business Associates (BA) Alicia Galan Supervisory Equal Opportunity Specialist March 7, 2014 HITECH OMNIBUS A Reminder of What s Included: Final Modifications of the
More informationThe HIPAA Audit Program
The HIPAA Audit Program Anna C. Watterson Davis Wright Tremaine LLP The U.S. Department of Health and Human Services (HHS) was given authority, and a mandate, to conduct periodic audits of HIPAA 1 compliance
More information2/9/2012. 2012 HIPAA Privacy and Security Audit Readiness. Table of contents
2012 HIPAA Privacy and Security Audit Readiness Mark M. Johnson National HIPAA Services Director Table of contents Page Background 2 Regulatory Background and HITECH Impacts 3 Office of Civil Rights (OCR)
More informationEnforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance
Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance Iliana Peters, JD, LLM, HHS Office for Civil Rights Kevin
More informationHIPAA Privacy, Security, Breach, and Meaningful Use. CHUG October 2012
HIPAA Privacy, Security, Breach, and Meaningful Use Practice Requirements for 2012 CHUG October 2012 The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Standards for Privacy of Individually
More informationHIPAA 101. March 18, 2015 Webinar
HIPAA 101 March 18, 2015 Webinar Agenda Acronyms to Know HIPAA Basics What is HIPAA and to whom does it apply? What is protected by HIPAA? Privacy Rule Security Rule HITECH Basics Breaches and Responses
More informationUNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14
UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14 RULES Issued August 19, 2009 Requires Covered Entities to notify individuals of a breach as well as HHS without reasonable delay or within
More informationTHE HIPAA TANGO CHOREOGRAPHING PRIVACY AND SECURITY UNDER THE FINAL RULE
THE HIPAA TANGO CHOREOGRAPHING PRIVACY AND SECURITY UNDER THE FINAL RULE The Speakers Cinda Velasco Attorney, Manager, Privacy Officer Patient Safety and Risk Management Trish Lugtu Senior Manager MMIC
More informationWhat is required of a compliant Risk Assessment?
What is required of a compliant Risk Assessment? ACR 2 Solutions President Jack Kolk discusses the nine elements that the Office of Civil Rights requires Covered Entities perform when conducting a HIPAA
More informationPage 1. NAOP HIPAA and Privacy Risks 3/11/2014. Privacy means being able to have control over how your information is collected, used, or shared;
Page 1 National Organization of Alternative Programs 2014 NOAP Educational Conference HIPAA and Privacy Risks Ira J Rothman, CPHIMS, CIPP/US/IT/E/G Senior Vice President - Privacy Official March 26, 2014
More informationThis presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in
This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in the HIPAA Omnibus Rule of 2013. As part of the American
More informationUnderstanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions
Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions Table of Contents Understanding HIPAA Privacy and Security... 1 What
More informationData Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, 2014 2:15pm 3:30pm
Electronic Health Records: Data Security and Integrity of e-phi Worcester, MA Wednesday, 2:15pm 3:30pm Agenda Introduction Learning Objectives Overview of HIPAA HIPAA: Privacy and Security HIPAA: The Security
More informationOCR s Anatomy: HIPAA Breaches, Investigations, and Enforcement
OCR s Anatomy: HIPAA Breaches, Investigations, and Enforcement Clinton Mikel The Health Law Partners, P.C. Alessandra Swanson U.S. Department of Health and Human Services - Office for Civil Rights Disclosure
More informationHIPAA in an Omnibus World. Presented by
HIPAA in an Omnibus World Presented by HITECH COMPLIANCE ASSOCIATES IS NOT A LAW FIRM The information given is not intended to be a substitute for legal advice or consultation. As always in legal matters
More informationPatient Privacy and Security. Presented by, Jeffery Daigrepont
Patient Privacy and Security Presented by, Jeffery Daigrepont Jeffery Daigrepont, SVP No Financial Conflicts to Report Jeffery Daigrepont, Senior Vice President of The Coker Group, specializes in health
More information2016 OCR AUDIT E-BOOK
!! 2016 OCR AUDIT E-BOOK About BlueOrange Compliance: We specialize in healthcare information privacy and security solutions. We understand that each organization is busy running its business and that
More informationHIPAA WEBINAR HANDOUT
HIPAA WEBINAR HANDOUT OCR Enforcement Tools Voluntary corrective action Resolution Agreement and Payment CMPs Referral to DOJ for criminal investigation Resolution Agreements Contract signed by HHS and
More informationFIVE EASY STEPS FOR HANDLING NEW HIPAA REQUIREMENTS & MANAGING YOUR ELECTRONIC COMMUNICATIONS
FIVE EASY STEPS FOR HANDLING NEW HIPAA REQUIREMENTS & MANAGING YOUR ELECTRONIC COMMUNICATIONS James J. Eischen, Jr., Esq. October 2013 Chicago, Illinois JAMES J. EISCHEN, JR., ESQ. Partner at Higgs, Fletcher
More informationDecrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use
Click to edit Master title style Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use Andy Petrovich, MHSA, MPH M-CEITA / Altarum Institute April 8, 2015 4/8/2015 1 1 Who is M-CEITA?
More informationInformation Security and Privacy. WHAT is to be done? HOW is it to be done? WHY is it done?
Information Security and Privacy WHAT is to be done? HOW is it to be done? WHY is it done? 1 WHAT is to be done? O Be in compliance of Federal/State Laws O Federal: O HIPAA O HITECH O State: O WIC 4514
More informationBusiness Associate Management Methodology
Methodology auxilioinc.com 844.874.0684 Table of Contents Methodology Overview 3 Use Case 1: Upstream of s I manage business associates 4 System 5 Use Case 2: Eco System of s I manage business associates
More informationHIPAA Compliance and Electronic Protected Health Informa6on: Ignorance is not bliss!
Maxxum, Inc. HIPAA Compliance and Electronic Protected Health Informa6on: Ignorance is not bliss! Medical Device ephi Risk Iden6fica6on and Mi6ga6on Webinar Overview Relevance why this topic? Risk a perspective
More informationArt Gross President & CEO HIPAA Secure Now! How to Prepare for the 2015 HIPAA Audits and Avoid Data Breaches
Art Gross President & CEO HIPAA Secure Now! How to Prepare for the 2015 HIPAA Audits and Avoid Data Breaches Speakers Phillip Long CEO at Business Information Solutions Art Gross President & CEO of HIPAA
More informationHIPAA Privacy & Breach Notification Training for System Administration Business Associates
HIPAA Privacy & Breach Notification Training for System Administration Business Associates Barbara M. Holthaus privacyofficer@utsystem.edu Office of General Counsel University of Texas System April 10,
More informationVendor Management Challenges and Solutions for HIPAA Compliance. Jim Sandford Vice President, Coalfire
Vendor Management Challenges and Solutions for HIPAA Compliance Jim Sandford Vice President, Coalfire Housekeeping You may submit questions throughout the webinar using the question area in the control
More informationUnderstanding HIPAA Regulations and How They Impact Your Organization!
Understanding HIPAA Regulations and How They Impact Your Organization! Presented by: HealthInfoNet & Systems Engineering! April 25 th 2013! Introductions! Todd Rogow Director of IT HealthInfoNet Adam Victor
More informationLessons Learned from HIPAA Audits
Lessons Learned from HIPAA Audits October 29, 2012 Tony Brooks, CISA, CRISC Partner - IT Assurance and Risk Services HORNE LLP AGENDA HIPAA/HITECH Regulations Breaches and Fines OCR HIPAA/HITECH Compliance
More informationStrategies for. Proactively Auditing. Compliance to Mitigate. Matt Jackson, Director Kevin Dunnahoo, Manager
Strategies for 1 Proactively Auditing HIPAA Security Compliance to Mitigate Risk Matt Jackson, Director Kevin Dunnahoo, Manager AHIA 32 nd Annual Conference August 25-28, 2013 Chicago, Illinois www.ahia.org
More informationPrivacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by:
HIPAA Privacy Officer Orientation Presented by: Cathy Montgomery, RN Privacy Officer Job Description Serve as leader Develop Policies and Procedures Train staff Monitor activities Manage Business Associates
More informationNEW PERSPECTIVES. Professional Fee Coding Audit: The Basics. Learn how to do these invaluable audits page 16
NEW PERSPECTIVES on Healthcare Risk Management, Control and Governance www.ahia.org Journal of the Association of Heathcare Internal Auditors Vol. 32, No. 3, Fall, 2013 Professional Fee Coding Audit: The
More informationTexas Medical Records Privacy Act (a.k.a. Texas House Bill 300)
Texas Medical Records Privacy Act (a.k.a. Texas House Bill 300) Ricky Link, Coalfire ISACA North Texas and IIA Fort Worth Chapters The Petroleum Club of Fort Worth March 4, 2014 1 About Coalfire Coalfire
More informationHeather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com
Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com HIPAA Privacy Rule Sets standards for confidentiality and privacy of individually
More informationHIPAA Security Rule Compliance
HIPAA Security Rule Compliance Caryn Reiker MAXIS360 HIPAA Security Rule Compliance what is it and why you should be concerned about it Table of Contents About HIPAA... 2 Who Must Comply... 2 The HIPAA
More information8/3/2015. Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice
Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice Monday, August 3, 2015 1 How to ask a question during the webinar If you dialed in to this webinar on your phone
More informationArizona State University. HIPAA Compliance. Audit Report Number 15-08. May 7, 2015
This page left blank intentionally. Summary The Health Insurance Portability and Accountability Act of 1996 (HIPAA) audit was included on the Arizona State University (ASU) FY 2015 annual audit plan approved
More informationHIPAA: Breach Notification By: Office of University Counsel For: Jefferson IRB Continuing Education. September 2014
HIPAA: Breach Notification By: Office of University Counsel For: Jefferson IRB Continuing Education September 2014 Introduction The HIPAA Privacy Rule establishes the conditions under which Covered Entities
More informationYou Probably Don t Even Know
You Probably Don t Even Know That You Need To Comply With HIPAA In Collaboration With: About ERM About The Speaker Stephen Siegel, Esq., Of Counsel, Broad and Cassel Board Certified Health Law Over 25
More informationEthics, Privilege, and Practical Issues in Cloud Computing, Privacy, and Data Protection: HIPAA February 13, 2015
Ethics, Privilege, and Practical Issues in Cloud Computing, Privacy, and Data Protection: HIPAA February 13, 2015 Katherine M. Layman Cozen O Connor 1900 Market Street Philadelphia, PA 19103 (215) 665-2746
More informationAccounting for Disclosure Requirements Summary of Changes Included in the Proposed Rule 76 Federal Register 31426-31448 May 31, 2011
Accounting for Disclosure Requirements Summary of Changes Included in the 76 Federal Register 31426-31448 May 31, 2011 Current Rule Right to an Accounting; Content Generally An individual has a right under
More informationQ: How does a provider know if their Email system has encryption? Do big email services (gmail, yahoo, hotmail, etc.) have built-in encryption?
Q: How does a provider know if their Email system has encryption? Do big email services (gmail, yahoo, hotmail, etc.) have built-in encryption? A. Most e-mail systems do not include encryption. There are
More informationHIPAA Compliance: Are you prepared for the new regulatory changes?
HIPAA Compliance: Are you prepared for the new regulatory changes? Baker Tilly CARIS Innovation, Inc. April 30, 2013 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed
More informationDissecting New HIPAA Rules and What Compliance Means For You
Dissecting New HIPAA Rules and What Compliance Means For You A White Paper by Cindy Phillips of CMIT Solutions and Kelly McClendon of CompliancePro Solutions TABLE OF CONTENTS Introduction 3 What Are the
More informationEverett School Employee Benefit Trust. Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law
Everett School Employee Benefit Trust Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law Introduction The Everett School Employee Benefit Trust ( Trust ) adopts this policy
More informationHIPAA. New Breach Notification Risk Assessment and Sanctions Policy. Incident Management Policy. Focus on: For breaches affecting 1 3 individuals
HIPAA New Breach Notification Risk Assessment and Sanctions Policy Incident Management Policy For breaches affecting 1 3 individuals +25 individuals + 500 individuals Focus on: analysis documentation PHI
More informationACCOUNTABLE HEALTHCARE IPA HIPAA PRIVACY AND SECURITY TRAINING. By: Jerry Jackson Compliance and Privacy Officer
ACCOUNTABLE HEALTHCARE IPA HIPAA PRIVACY AND SECURITY TRAINING By: Jerry Jackson Compliance and Privacy Officer 1 1 Introduction Welcome to Privacy and Security Training course. This course will help you
More informationPrivacy & Security. Risk Management Strategies for Healthcare Data. Ohio Hospital Association Centennial Annual Meeting.
Ohio Hospital Association Centennial Annual Meeting Privacy & Security Risk Management Strategies for Healthcare Data Chris Allman, JD Director of Risk Management, Compliance & Insurance Garden City Hospital
More informationTools to Prepare and Protect Your Practice for HIPAA and Meaningful Use Audits
Tools to Prepare and Protect Your Practice for HIPAA and Meaningful Use Audits Presented by: Don Waechter, Managing Partner Health Compliance Partners Ann Breitinger, Attorney Blalock Walters Legal Disclaimer
More informationWelcome to ChiroCare s Fourth Annual Fall Business Summit. October 3, 2013
Welcome to ChiroCare s Fourth Annual Fall Business Summit October 3, 2013 HIPAA Compliance Regulatory Overview & Implementation Tips for Providers Agenda Green packet Overview of general HIPAA terms and
More informationNCHICA HITECH Act Breach Notification Risk Assessment Tool. Prepared by the NCHICA Privacy, Security & Legal Officials Workgroup
NCHICA HITECH Act Breach Notification Risk Assessment Tool Prepared by the NCHICA Privacy, Security & Legal Officials Workgroup NORTH CAROLINA HEALTHCARE INFORMATION AND COMMUNICATIONS ALLIANCE, INC August
More informationHIPAA, HIPAA Hi-TECH and HIPAA Omnibus Rule
HIPAA, HIPAA Hi-TECH and HIPAA Omnibus Rule NYCR-245157 HIPPA, HIPAA HiTECH& the Omnibus Rule A. HIPAA IIHI and PHI Privacy & Security Rule Covered Entities and Business Associates B. HIPAA Hi-TECH Why
More informationCOMPLIANCE ALERT 10-12
HAWAII HEALTH SYSTEMS C O R P O R A T I O N "Touching Lives Every Day COMPLIANCE ALERT 10-12 HIPAA Expansion under the American Recovery and Reinvestment Act of 2009 The American Recovery and Reinvestment
More informationBreach Notification Decision Process 1/1/2014
WEDI Strategic National Implementation Process (SNIP) Privacy and Security Workgroup Breach Risk Assessment Issue Brief Breach Notification Decision Process 1/1/2014 Workgroup for Electronic Data Interchange
More informationHow To Write A Report On The Health Care Privacy And Security Rules Of Health Care For A Patient
Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance For Calendar Years 2011 and 2012 As Required by the Health Information Technology for Economic and Clinical
More informationHIPAA Compliance, Notification & Enforcement After The HITECH Act. Presenter: Radha Chanderraj, Esq.
HIPAA Compliance, Notification & Enforcement After The HITECH Act Presenter: Radha Chanderraj, Esq. Key Dates Publication date January 25, 2013 Effective date - March 26, 2013 Compliance date - September
More informationLessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd
Lessons Learned from Recent HIPAA and Big Data Breaches Briar Andresen Katie Ilten Ann Ladd Recent health care breaches Breach reports to OCR as of February 2015 1,144 breaches involving 500 or more individual
More informationHow To Understand And Understand The Benefits Of A Health Insurance Risk Assessment
4547 The Case For HIPAA Risk Assessment Leader s Guide IMPORTANT INFORMATION FOR EDUCATION COORDINATORS & PROGRAM FACILITATORS PLEASE NOTE: In order for this program to meet Florida course requirements,
More informationWhat Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act
What Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act by Lane W. Staines and Cheri D. Green On February 17, 2009, The American Recovery and Reinvestment Act
More informationAm I a Business Associate? Do I want to be a Business Associate? What are my obligations?
Am I a Business Associate? Do I want to be a Business Associate? What are my obligations? Brought to you by Winston & Strawn s Health Care Practice Group 2013 Winston & Strawn LLP Today s elunch Presenters
More informationHealth Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know
Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know Note: Information provided to NCRA by Melodi Gates, Associate with Patton Boggs, LLC Privacy and data protection
More informationHOW TO REALLY IMPLEMENT HIPAA. Presented by: Melissa Skaggs Provider Resources Group
HOW TO REALLY IMPLEMENT HIPAA Presented by: Melissa Skaggs Provider Resources Group WHAT IS HIPAA The Health Insurance Portability and Accountability Act of 1996 (HIPAA; Pub.L. 104 191, 110 Stat. 1936,
More informationM E M O R A N D U M. Definitions
M E M O R A N D U M DATE: November 10, 2011 TO: FROM: RE: Krevolin & Horst, LLC HIPAA Obligations of Business Associates In connection with the launch of your hosted application service focused on practice
More informationMy Docs Online HIPAA Compliance
My Docs Online HIPAA Compliance Updated 10/02/2013 Using My Docs Online in a HIPAA compliant fashion depends on following proper usage guidelines, which can vary based on a particular use, but have several
More informationHIPAA initially went into effect April 14, 2003. HIPAA is a set of rules that is to be followed by doctors, hospitals and other health care providers.
HIPAA Health Insurance Portability and Accountability Act HIPAA initially went into effect April 14, 2003 HIPAA is a set of rules that is to be followed by doctors, hospitals and other health care providers.
More informationWhen HHS Calls, Will Your Plan Be HIPAA Compliant?
When HHS Calls, Will Your Plan Be HIPAA Compliant? Petula Workman, J.D., CEBS Division Vice President Compliance Counsel Gallagher Benefit Services, Inc., Sugar Land, Texas The opinions expressed in this
More information4/9/2015. One Year After the HIPAA Omnibus Rule: Lessons Learned in Breach Notification. Agenda
One Year After the HIPAA Omnibus Rule: Lessons Learned in Breach Notification Adam H. Greene, JD, MPH Partner Davis Wright Tremaine HCCA Compliance Institute April 22, 2015 Doug Pollack Chief Strategy
More informationBreaches. Complying with the HIPAA Omnibus Final Rule. Important Definitions. Protected Health Information Includes HIPAA PRIVACY 3/2/2014
Breaches Complying with the HIPAA Omnibus Final Rule You Can Be Successful! Advocate Medical Group in Chicago had 4 desktop computers taken in a burglary that contained the personal information of over
More informationOCR/HHS HIPAA/HITECH Audit Preparation
OCR/HHS HIPAA/HITECH Audit Preparation 1 Who are we EHR 2.0 Mission: To assist healthcare organizations develop and implement practices to secure IT systems and comply with HIPAA/HITECH regulations. Education
More informationAre You Ready for an OCR Audit? Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS. What would you do? Session Objectives
Are You Ready for an OCR Audit? Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS What would you do? Your organization received a certified letter sent from the Office for Civil Rights (OCR)
More informationInformation Protection Framework: Data Security Compliance and Today s Healthcare Industry
Information Protection Framework: Data Security Compliance and Today s Healthcare Industry Executive Summary Today s Healthcare industry is facing complex privacy and data security requirements. The movement
More informationB. For example, a health system could own a hospital, medical groups and DME supplier and designate them as an ACE.
Kimberly Short Kirk and Brad Rostolsky I. HIPAA Implications of Physician-Hospital Integration As physicians and hospitals become increasing integrated, regulatory compliance is a key consideration. The
More information