HIPAA HITECH ACT Compliance, Review and Training Services



Similar documents
GUIDANCE FOR BUSINESS ASSOCIATES

HIPAA Compliance 101. Important Terms. Pittsburgh Computer Solutions

VCU Payment Card Policy

COPIES-F.Y.I., INC. Policies and Procedures Data Security Policy

Personal Data Security Breach Management Policy

Process of Setting up a New Merchant Account

Chapter 7 Business Continuity and Risk Management

Key Steps for Organizations in Responding to Privacy Breaches

Cloud-based File Sharing: Privacy and Security Tutorial Institutional Compliance Office July 2013

Christchurch Polytechnic Institute of Technology Access Control Security Standard

In addition to assisting with the disaster planning process, it is hoped this document will also::

How To Ensure Your Health Care Is Safe

First Global Data Corp.

Data Protection Act Data security breach management

Change Management Process

DisplayNote Technologies Limited Data Protection Policy July 2014

FAFSA / DREAM ACT COMPLETION PROGRAM AGREEMENT

CMS Eligibility Requirements Checklist for MSSP ACO Participation

Version: Modified By: Date: Approved By: Date: 1.0 Michael Hawkins October 29, 2013 Dan Bowden November 2013

UNT Payment Card Merchant Handbook

IN-HOUSE OR OUTSOURCED BILLING

Systems Support - Extended

BLUE RIDGE COMMUNITY AND TECHNICAL COLLEGE BOARD OF GOVERNORS

Remote Working (Policy & Procedure)

POLICY 1390 Information Technology Continuity of Business Planning Issued: June 4, 2009 Revised: June 12, 2014

Research Report. Abstract: The Emerging Intersection Between Big Data and Security Analytics. November 2012

Plus500CY Ltd. Statement on Privacy and Cookie Policy

Malpractice and Maladministration Policy

Information Services Hosting Arrangements

How To Ensure That The Internet Is Safe For A Health Care Worker

HIPAA Notice of Privacy Practices. Central Ohio Surgical Associates, Inc.

Privacy Policy. The Central Equity Group understands how highly people value the protection of their privacy.

Volume THURSTON COUNTY CLERK S OFFICE. e-file SECURE FTP Site (January 2011) User Guide

RUTGERS POLICY. Responsible Executive: Vice President for Information Technology and Chief Information Officer

Project Open Hand Atlanta. Health Insurance Portability and Accountability Act (HIPAA) NOTICE OF PRIVACY PRACTICES

EA-POL-015 Enterprise Architecture - Encryption Policy

Security in Business and Applications. Madison Hajeb Stefan Hurst Benjamin Von Slade

Montana Acquisition & Contracting System (emacs) emacs Handbook. Vendor Registration and Data Management

Planning & Delivering Safe Work Railway Contractors Certificate Non Training Services v1.2. Keith Miller & Rebecca Pears

White Paper for Mobile Workforce Management and Monitoring Copyright 2014 by Patrol-IT Inc.

ACTIVITY MONITOR Real Time Monitor Employee Activity Monitor

Session 9 : Information Security and Risk

Electronic and Information Resources Accessibility Compliance Plan

Improved Data Center Power Consumption and Streamlining Management in Windows Server 2008 R2 with SP1

CSUSB Containment Guidelines CSUSB, Information Security Office

PENETRATION TEST OF THE INDIAN HEALTH SERVICE S COMPUTER NETWORK

ISO Management Systems. Guidance on understanding the benefits of an ISO Management System

Immaculate Conception School, Prince George Bring Your Own Device Policy for Students

THE CITY UNIVERSITY OF NEW YORK IDENTITY THEFT PREVENTION PROGRAM

How To Deal With A Data Breach In The European Law

Monthly All IFS files, all Libraries, security and configuration data

Health and Safety Training and Supervision

Research Report. Abstract: Advanced Malware Detection and Protection Trends. September 2013

DISASTER RECOVERY PLAN TEMPLATE

State Fleet Card Oversight Usage and Responsibilities

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST ASSESSMENT AND GUIDANCE INSTRUCTIONS

Comtrex Systems Corporation. CISP/PCI Implementation Guidance for Odyssey Suite

Understand Business Continuity

How to put together a Workforce Development Fund (WDF) claim 2015/16

Data Protection Policy & Procedure

Help Desk Level Competencies

CASSOWARY COAST REGIONAL COUNCIL POLICY ENTERPRISE RISK MANAGEMENT

NYU Langone Medical Center NYU Hospitals Center NYU School of Medicine

IT Help Desk Service Level Expectations Revised: 01/09/2012

AML Internet Manor Court, Manor Farm House, London Road, Derby, Derbyshire, DE72 2GR. Tel: Fax:

Sources of Federal Government and Employee Information

Online Banking Agreement

PADUA COLLEGE LIMITED ACN ABN

Workers Disability Compensation Claims Procedures Issued: January 1, 1994 Revised: March 29, 2012

Cloud Services Frequently Asked Questions FAQ

GUIDELINE INFORMATION MANAGEMENT (IM) PROGRAM PLAN

New York Institute of Technology Faculty and Staff Retention Policy

Transcription:

Cmpliance, Review and Training Services Risk Assessment and Risk Mitigatin: The first and mst imprtant step is t undertake a hlistic risk assessment that examines the risks and cntrls related t fur critical areas: prcesses, peple, technlgy and gvernance. When cnsidering the rganizatin s prcesses, clsely examine business and IT prcesses. Fr example: Determine hw PHI is used in each business prcess bth paper and electrnic. When assessing issues related t peple, cnsider the fllwing: Is staff trained in the secure handling f paper and electrnic health recrds? D the plicies and prcedures prvide emplyees with adequate and up-t-date guidance? Next, examine the technlgy side. Cnduct a vulnerability assessment f the netwrk. Pair the vulnerabilities t relevant threats fr a cmplete picture. If encryptin is present, is it the mst up-t-date encryptin algrithm? Is the patch management prgram perating effectively? Inventry and review all utsurced service prvider agreements. Ensure a right t audit clause is defined in the cntract. Finally, lk at gvernance issues: Identify the individuals wh are respnsible fr the prgram. In the event f a breach, wh will prmptly ntify management? Wh is respnsible fr making sure timely infrmatin security reviews are dne? Security Cmpliance Deadline: 2/17/2010: Appint a security fficial Implement all HIPAA security administrative, technical and physical safeguards Cnduct a security risk analysis Amend business assciate agreements t include new security rules (as early as 9/15/2009 since that is the latest date the new breach ntificatin rules will apply) Enter int business assciate agreement with security safeguards with any rganizatin that prvides data transmissin services t yu Develp and maintain written security plicies & prcedures Cnduct privacy and security wrkfrce training Wait fr HHS guidance (expected by 1/1/2010 and t be updated annually) regarding the mst effective and apprpriate technical safeguards and cnsider implementing Page 1 f 7

Cmpliance, Review and Training Services Implement technlgies r methdlgies t secure (frm April 2009 these are "encryptin r destructin") Privacy Cmpliance Deadline: 2/17/2010 Appint a privacy fficial. Amend business assciate agreements with grup health plans t include additinal required prvisins Cure yur breaches f business assciate agreements Enter int business assciate agreements with privacy safeguards by 2/17/2010 with any rganizatin that prvides data transmissin services t yu Cmply with new HITECH minimum necessary requirements effective 2/17/2010 (further HHS guidance expected by 8/17/2009) Cmply with changes t request fr restrictin rules Cmply with new marketing restrictins Seek authrizatin prir t selling PHI fr certain purpses (beginning n later than 2/17/2010, depending n when regulatins are issued) Cmply with new ntificatin rules fr breach f unsecured PHI Page 2 f 7

Sample Detailed Review and Plicies HIPAA HITECH ACT Cmpliance, Review and Training Services Intrductin T give yu an idea in mre f what the HIPAA regulatins we shwed n the prir page require fr plicies and prcedures we have put tgether this sectin as an example f what yu wuld need t at least assess, then cdify, in writing t be available fr audit by bth yur CE s and HHS. Risk Assessment and Risk Mitigatin: The first and mst imprtant step is t undertake a hlistic risk assessment that examines the risks and cntrls related t fur critical areas: prcesses, peple, technlgy and gvernance. When cnsidering the rganizatin s prcesses, clsely examine business and IT prcesses. Fr example: Determine hw PHI is used in each business prcess bth paper and electrnic. When assessing issues related t peple, cnsider the fllwing: Is staff trained in the secure handling f paper and electrnic health recrds? D the plicies and prcedures prvide emplyees with adequate and up-t-date guidance? Next, examine the technlgy side. Cnduct a vulnerability assessment f the netwrk. Pair the vulnerabilities t relevant threats fr a cmplete picture. If encryptin is present, is it the mst up-t-date encryptin algrithm? Is the patch management prgram perating effectively? Inventry and review all utsurced service prvider agreements. Ensure a right t audit clause is defined in the cntract. Finally, lk at gvernance issues: Identify the individuals wh are respnsible fr the prgram. In the event f a breach, wh will prmptly ntify management? Wh is respnsible fr making sure timely infrmatin security reviews are dne? Page 3 f 7

Cmpliance, Review and Training Services Physical Safeguards (45 C.F.R. 164.310) must be enacted and mnitred: Hw is PHI stred within the rganizatin (i.e. fixed server databases/hard drives versus remvable media such as backup tapes)? Des yur cmpany f a physical security plan? What types f cntrls exists t limit access int buildings cntaining servers that hst PHI? What types f cntrls exists t limit access within buildings t rms husing servers cntaining PHI? Wh has access t facilities cntaining PHI, and what prcess exists t grant these individuals access? What envirnmental cntrls exist t prtect PHI frm destructin? T the extent PHI is physically maintained, des the rganizatin emply shredders r ther destrying devices fr cnfidential PHI cntaining dcuments? D yu train and dcument the training f emplyees n the use f shredders? Administrative Safeguards (45 C.F.R. 164.308): Plicies/Dcumentatin (45 C.F.R. 164.316) What plicies (and prcedures) are available specifically addressing HIPAA privacy and security rules and cmpliance including the fllwing: Risk Management Risk Assessment and Applicatin Criticality Analysis (FIPS 200) Physical Security Encryptin Remte Access Media and Dcument Destructin Change Cntrl/ Patch Management Acceptable Use (Email, Prtable Media, Sftware, Cmpany Resurces) Training and Security Reminders Antivirus and Wrkstatin Security Unique User Identificatin Audit and Lg Mnitring Security Incident Cntingency and Emergency Access and Wrkfrce Clearance, Sanctin, and Access Management. Page 4 f 7

Cmpliance, Review and Training Services Wh r what grup within the rganizatin is respnsible fr creating and updating these plicies? When the rganizatin s plicies were last updated? Hw ften have any f these plicies been updated? Are new emplyees trained t fllw these plicies and prcedures? Hw frequently are existing emplyees re-trained n existing plicies and prcedures? Hw frequently are existing emplyees trained regarding updates in HIPAA rules? Hw are persnnel screened in rder t grant certain levels f access t PHI? Des the rganizatin have a frmal security incident respnse plan t address ptential breaches f security that include at a minimum: Rles and respnsibilities Islate affected system Preserve evidence Restre cmprmised system frm knwn safe backups and Pst incident respnse reprt including identificatin f lessns learned and ther mitigating cntrls may be indicated based n the incident? Des the rganizatin require business partners t cmply with its privacy and security plicies? Des rganizatin ever send PHI via email r ftp (file transfer prtcl)? Des the rganizatin have plicy r prcedures related t de-identifying PHI fr use in advertising, marketing, educatinal prgrams? What plicies and prcedures exist regarding ntificatin in the event f a breach? Technical Safeguards (45 C.F.R. 164.312) are critical t all yur security: What types f security exists t prtect PHI as it flws t/is accessed at remte wrkstatins? Describe the data flw life-cycle f PHI thrugh the rganizatin s infrmatin systems. Page 5 f 7

Cmpliance, Review and Training Services This shuld cver hsting services, TPA, wellness, claims audit, actuarial and ther partners including sub agents. Des the rganizatin prevent brwsers with un-patched security vulnerabilities frm accessing the cmpany s infrmatin system? What types f security and encryptin prtect prtable media cntaining PHI? (Prtable media shuld always be encrypted.) Equipment Encryptin Inventry & Checklist Plicy and Audits Regularly verify r audit that encryptin plicies are in place and being fllwed. Passwrds Use a strng passwrd AND make it different than yur cmputer lgin Never write a passwrd dwn. D nt share passwrds Prtable Devices Inventry Knw what PHI is stred n all prtable devices. Minimize the amunt f PHI n prtable devices (nne in identifiable frm). Delete PHI frm all prtable devices as sn finished wrking with it. Only use prtable strage devices like USB keys, with encryptin installed, r install encryptin n them befre use them t stre PHI. PC/Laptp/PDA/Server Enable perating system encryptin. Purchase systems with whle disk encryptin OR Purchase sftware fr whle disk r virtual disk encryptin n laptps/ PDA. Only stre PHI n an encrypted disk. Des the rganizatin have rutine maintenance prtcls that backup, delete, relcate, r therwise impact data cntaining PHI? What types f audit mechanisms exist t track access and transmissin f PHI by internal r external users? Typically audit lgs include a timestamp, a unique user accunt, data accessed/mdified/created, and the lcatin f the user. Hw ften are these audit mechanisms used t detect abnrmal use? D autmatic triggers exist t ntify the rganizatin f abnrmal PHI use? Page 6 f 7

Cmpliance, Review and Training Services Unsecured PHI - Sectin 13402 f the HITECH Act defined unsecured PHI as infrmatin that was nt secured thrugh the use f technlgy rendering the infrmatin unusable, unreadable r indecipherable.. i.e encrypted r destryed. Safe Harbr - Use f encryptin fr PHI is a Safe Harbr under the HITECH law and 47 state privacy laws Page 7 f 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information