Conducting Your HIPAA Risk Analysis Top Ten Steps



Similar documents
Richard Gadsden Information Security Office Office of the CIO Information Services

Executive Order 13636: The Healthcare Sector and the Cybersecurity Framework. September 23, 2014

Assessing Your HIPAA Compliance Risk

Vendor Management Challenges and Solutions for HIPAA Compliance. Jim Sandford Vice President, Coalfire

Compliance, Security and Risk Management Relationship Advice. Andrew Hicks, Director Coalfire

Please Read. Apgar & Associates, LLC apgarandassoc.com P. O. Box Portland, OR Fax

Our Commitment to Information Security

The HIPAA Audit Program

Business Associates, HITECH & the Omnibus HIPAA Final Rule

Laptops, Tablets, Smartphones and HIPAA: An Action Plan to Protect your Practice

Sustainable Compliance: A System for Ongoing Audit Readiness

Security Compliance, Vendor Questions, a Word on Encryption

Lessons Learned from HIPAA Audits

Information Protection Framework: Data Security Compliance and Today s Healthcare Industry

HIPAA Security Rule Toolkit

Law Firm Cyber Security & Compliance Risks

Welcome to the Privacy and Security PowerPoint presentation in the Data Analytics Toolkit. This presentation will provide introductory information

HIPAA and HITECH Compliance for Cloud Applications

Privacy & Security Crash Course: How Do I Do a Risk Assessment?

North Carolina Health Information Management Association February 20, 2013 Chris Apgar, CISSP

[Company Name] HIPAA Security Awareness and Workforce Training Program Manual

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, :15pm 3:30pm

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

Privacy and Security requirements, OCR HIPAA Audits and the New Audit Protocol

InfoGard Healthcare Services InfoGard Laboratories Inc.

Securing the FOSS VistA Stack HIPAA Baseline Discussion. Jack L. Shaffer, Jr. Chief Operations Officer

Electronic Communication In Your Practice. How To Use & Mobile Devices While Maintaining Compliance & Security

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

2016 OCR AUDIT E-BOOK

Breach Notification Decision Process 1/1/2014

Overview of the HIPAA Security Rule

Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance

Building Trust and Confidence in Healthcare Information. How TrustNet Helps

HIPAA Security. 6 Basics of Risk Analysis and Risk Management. Security Topics

OCR s Anatomy: HIPAA Breaches, Investigations, and Enforcement

HIPAA Security & Compliance

My Docs Online HIPAA Compliance

A How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1

How to Use the NYeC Privacy and Security Toolkit V 1.1

HIPAA and Mental Health Privacy:

C.T. Hellmuth & Associates, Inc.

Compliance Plan Required for ACO Participation

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

Checklist for HIPAA/HITECH Compliance Best Practices for Healthcare Information Security

Nine Network Considerations in the New HIPAA Landscape

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

IBM Internet Security Systems. The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview

OCR/HHS HIPAA/HITECH Audit Preparation

HIPAA Data Breaches: Managing Them Internally and in Response to Civil/Criminal Investigations

How To Understand And Understand The Benefits Of A Health Insurance Risk Assessment

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

HIPAA Update. Presented by: Melissa M. Zambri. June 25, 2014

HIPAA, HIPAA Hi-TECH and HIPAA Omnibus Rule

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

Greenway Marketplace. Hear from GSG Compliance & White Plume November 14, 2013

Need Assistance selecting an EMR/EHR? OCR Launches Full Scale HIPAA Audits in 2013 Are you ready for a HIPAA Audit?

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

Preparing for the HIPAA Security Rule Again; now, with Teeth from the HITECH Act!

Ethics, Privilege, and Practical Issues in Cloud Computing, Privacy, and Data Protection: HIPAA February 13, 2015

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

HIPAA Privacy Rule Policies

Security Is Everyone s Concern:

HIPAA 203: Security. An Introduction to the Draft HIPAA Security Regulations

What do you need to know?

HIPAA: Privacy/Info Security

Ready for an OCR Audit? Will you pass or fail an OCR security audit? Tom Walsh, CISSP

Transcription:

Conducting Your HIPAA Risk Analysis Top Ten Steps You will just hear silence on the line until the Webinar begins and the WEDI moderator opens up all phone lines. Lesley Berkeyheiser & Mark Cone, Principals, N-Tegrity Solutions Group, LLC WEDI Privacy & Security Co-Chairs

Agenda Webinar Presentation Housekeeping Review Top-10 Steps Q & A

1. Prepare Your Project Define Your Scope & Identify Your Team Know Organizational Status Determine Type of Data In Scope Set Expectations for Your Team As with any significant project it is important to define your scope, deliverables, period of time and accountable resources.

2. Identify Data & Location Choose a method to record your findings Gather Tools Think About All Places Data Resides Building Blocks Choose documentation tools that support the uniqueness of your organization. If Users are good with Excel then use Excel

3. Conduct PHI Flow Scale the PHI Flow to Your Specific Organization Spreadsheets; Checklists Visual Representation Benefit of Exercise The process of completing a PHI Flow serves to enlighten workforce about global data handling and facilitates an appreciation for how the data moves through your organization.

4. Drill Down on PHI Follow the requirements of the Regulation Determine When Your Organization Creates, Receives, Maintains, and Transmits PHI Safe Harbor? Be Prepared to Report a Breach If Necessary This process emphasizes the importance of knowing HIPAA/HITECH Privacy/Breach/Security and sets the organization up to analyze in support of these regulations.

5. Measure Against the Rule Follow the requirements of the Regulation Compare the way you handle PHI against the requirements of the HIPAA Security Rule Compare each Implementation Specification List Current Safeguards & Gaps Standard IT types of Risk Assessments are core components to the overall Risk Analysis but don t forget the reason this is being conducted is to satisfy the Regulation.

6. Assess Threats / Vulnerabilities Threat Categories Human, Natural or Environmental How Likely? How Bad? Prioritize Consider Types of Threats Conduct an accurate assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ephi. - Excerpt HIPAA Security Rule.

7. Conduct External Pen Testing Allow the IT Experts to Attempt to Break In Who Needs to Do This? How Often? What to Do With the Results? How easy it is for the outside world to get into your system and access PHI?

8. Put It All Together Figure Out What Needs To Be Done DO IT! Prioritize Apply the Reasonableness Test Assign Resources; Categories; Order and Time Frames for closure DO THE WORK Once all the hard work is done, don t forget to implement controls to conduct this on an ongoing basis. Learn from previous Risk Analysis reviews.

9. Communicate by Training Train using your custom policies and procedures Train Early Reinforce Retrain Remember People Learn Differently Train early; train often; TRAIN TRAIN TRAIN

10. Maintain Compliance The Risk Analysis Provides the Measuring Stick; But Once Attained- It Must Be Maintained Monitor Technology Monitor Workforce Behavior Policies and Procedures Annual Review??? Monitor, remember and learn from the OCR Corrective Action Plans

Review Ten Steps 1. Prepare Your Project 2. Identify Your Data and its Location 3. Conduct PHI Flow 4. Drill Down on PHI 5. Compare Data Handling Safeguards to the Rule 6. Assess Threats & Vulnerabilities 7. Conduct External Penetration Testing 8. Assemble Findings & Close the Gaps 9. Train, Train, Train 10. Monitor / Maintain Compliance

Questions? Thank you for your attention! Lesley Berkeyheiser 610-558-3332 lesley.berkeyheiser@n-tegritysolutions.com www.n-tegritytools.com WEDI Privacy & Security Co-Chair Mark Cone 816-935-9692 Mark.cone@n-tegritysolutions.com www.n-tegritytools.com WEDI Privacy & Security Co-Chair

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information