HIPAA Requirements for Data Security

Similar documents
HIPAA Compliance Guide

HIPAA Compliance Guide

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, :15pm 3:30pm

FIVE EASY STEPS FOR HANDLING NEW HIPAA REQUIREMENTS & MANAGING YOUR ELECTRONIC COMMUNICATIONS

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

Please Read. Apgar & Associates, LLC apgarandassoc.com P. O. Box Portland, OR Fax

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

Datto Compliance 101 1

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

HIPAA and Mental Health Privacy:

My Docs Online HIPAA Compliance

Why Lawyers? Why Now?

C.T. Hellmuth & Associates, Inc.

HIPAA Compliance & Privacy. What You Need to Know Now

CHIS, Inc. Privacy General Guidelines

HIPAA OMNIBUS RULE: EXPANDED COMPLIANCE REQUIREMENTS

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

Richard Gadsden Information Security Office Office of the CIO Information Services

Overview of the HIPAA Security Rule

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

Ethics, Privilege, and Practical Issues in Cloud Computing, Privacy, and Data Protection: HIPAA February 13, 2015

The HIPAA Security Rule Primer A Guide For Mental Health Practitioners

Healthcare Insurance Portability & Accountability Act (HIPAA)

HIPAA Security Rule Compliance

The HIPAA Security Rule Primer Compliance Date: April 20, 2005

University of Illinois at Chicago Health Sciences Colleges Information Technology Group Security Policies Summary

HIPAA Security. Jeanne Smythe, UNC-CH Jack McCoy, ECU Chad Bebout, UNC-CH Doug Brown, UNC-CH

Assessing Your HIPAA Compliance Risk

HIPAA and HITECH Compliance for Cloud Applications

Privacy & Security Matters: Protecting Personal Data. Privacy & Security Project

HIPAA Privacy & Security White Paper

Preparing for the HIPAA Security Rule

Securing the FOSS VistA Stack HIPAA Baseline Discussion. Jack L. Shaffer, Jr. Chief Operations Officer

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO

HIPAA Security Alert

Healthcare and IT Working Together KY HFMA Spring Institute

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

HIPAA PRIVACY AND SECURITY FOR EMPLOYERS

It s a New Regulatory Landscape: Do You Know Where Your Business Associates are and What They are Doing?

PRIVACY POLICIES AND FORMS FOR BUSINESS ASSOCIATES

HIPAA: Compliance Essentials

HIPAA RISKS & STRATEGIES. Health Insurance Portability and Accountability Act of 1996

Understanding HIPAA Regulations and How They Impact Your Organization!

Leveraging Dedicated Servers and Dedicated Private Cloud for HIPAA Security and Compliance

HIPAA Security COMPLIANCE Checklist For Employers

New HIPAA regulations require action. Are you in compliance?

The HIPAA Audit Program

Privacy and Security Meaningful Use Requirement HIPAA Readiness Review

Huseman Health Law Group 3733 University Blvd. West, Suite 305-A Jacksonville, Florida Telephone (904) Facsimile (904)

HIPAA Information Security Overview

Can Your Diocese Afford to Fail a HIPAA Audit?

Montclair State University. HIPAA Security Policy

What s New with HIPAA? Policy and Enforcement Update

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

HIPAA Compliance: Are you prepared for the new regulatory changes?

HIPAA Update Focus on Breach Prevention

efolder White Paper: HIPAA Compliance

WHITEPAPER XMEDIUSFAX CLOUD FOR HEALTHCARE AND HIPAA COMPLIANCE

What is HIPAA? The Health Insurance Portability and Accountability Act of 1996

Healthcare Compliance Solutions

Sunday March 30, 2014, 9am noon HCCA Conference, San Diego

Policy Title: HIPAA Security Awareness and Training

VMware vcloud Air HIPAA Matrix

HIPAA PRIVACY AND SECURITY AWARENESS

CASRO Digital Research Conference Data Security: Don t Risk Being the Weak Link

Mobile Medical Devices and BYOD: Latest Legal Threat for Providers

Research and the HIPAA Security Rule Prepared for the Association of American Medical Colleges by Daniel Masys, M.D. Professor and Chairman,

M E M O R A N D U M. Definitions

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

Am I a Business Associate? Do I want to be a Business Associate? What are my obligations?

Welcome to part 2 of the HIPAA Security Administrative Safeguards presentation. This presentation covers information access management, security

HIPAA Security. 5 Security Standards: Organizational, Policies. Security Topics. and Procedures and Documentation Requirements

HIPAA in the Cloud How to Effectively Collaborate with Cloud Providers

Using Data Encryption to Achieve HIPAA Safe Harbor in the Cloud

HIPAA Security. 6 Basics of Risk Analysis and Risk Management. Security Topics

Overview of Topics Covered

SCDA and SCDA Member Benefits Group

HIPAA Security Series

Ensuring HIPAA Compliance with eztechdirect Online Backup and Archiving Services

IBM Internet Security Systems. The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview

Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE

Page 1. Copyright MFA - Moody, Famiglietti & Andronico, LLP. All Rights Reserved.

Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec.

Healthcare Compliance Solutions

Solution Brief for HIPAA HIPAA. Publication Date: Jan 27, EventTracker 8815 Centre Park Drive, Columbia MD 21045

HIPAA Security Education. Updated May 2016

HIPAA 101. March 18, 2015 Webinar

HIPAA: In Plain English

AGENDA HIP Ho AA w i rivacy d The B reach Happen? I P nc AA Secu dent R rit esp y o nse Corrective Action Plan What We Learned ACRONYMS USED

HIPAA Compliance The Time is Now Changes on the Horizon: The Final Regulations on Privacy and Security. May 7, 2013

When HHS Calls, Will Your Plan Be HIPAA Compliant?

Privacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by:

Procedure Title: TennDent HIPAA Security Awareness and Training

SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION

HIPAA Requirements and Mobile Apps

WHITE PAPER. HIPPA Compliance and Secure Online Data Backup and Disaster Recovery

11th AMC Conference The Privacy Security Partnership in Managing Risk June 22, 2015 Angel Hoffman, Dennis Schmidt, Jay Trinckes

HIPAA SECURITY RULES FOR IT: WHAT ARE THEY?

Transcription:

HIPAA Requirements for Data Security Dennis Schmidt, HIPAA Security Officer UNC School of Medicine March, 2012

What does HIPAA Compliant Mean? It depends! The HIPAA Security Rule does not give many specific technical requirements. The Security Rule is designed to be flexible and scalable so a covered entity can implement policies, procedures, and technologies that are appropriate for the entity s particular size, organizational structure, and risks to consumers e-phi. Due diligence and industry standards apply.

What does HHS Say? The Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-phi. Specifically, covered entities must: Ensure the confidentiality, integrity, and availability of all e- PHI they create, receive, maintain or transmit; Identify and protect against reasonably anticipated threats to the security or integrity of the information; Protect against reasonably anticipated, impermissible uses or disclosures; and Ensure compliance by their workforce.

Administrative Safeguards Security Management Process Assigned Security Responsibility Workforce Security Information Access Management Security Awareness and Training Security Incident Procedures Contingency Plan Evaluation Business Associate Contracts

Physical Safeguards Facility Access Controls Workstation Use Workstation Security Device and Media Controls

Technical Safeguards Access Control Audit Controls Integrity Person or Entity Authentication Transmission Security

Required vs Addressable Required means it must be implemented. Addressable means that it must be done unless the entity can document that it is not reasonable and can implement and alternative reasonable and appropriate method. Example: Encryption is Addressable

Size Matters When a covered entity is deciding which security measures to use, the Rule does not dictate those measures but requires the covered entity to consider: Its size, complexity, and capabilities, Its technical, hardware, and software infrastructure, The costs of security measures, and The likelihood and possible impact of potential risks to e- PHI. Covered entities must review and modify their security measures to continue protecting e-phi in a changing environment.

Risk Analysis and Management Administrative Safeguards provisions in Security Rule require covered entities to perform risk analysis as part of their security management processes. Risk analysis process includes following activities: Evaluate the likelihood and impact of potential risks to e- PHI; Implement appropriate security measures to address the risks identified in the risk analysis; Document the chosen security measures and, where required, the rationale for adopting those measures; Maintain continuous, reasonable, and appropriate security protections.

An Ongoing Process Risk analysis should be an ongoing process, in which a covered entity regularly reviews its records to track access to e-phi and detect security incidents, periodically evaluates the effectiveness of security measures put in place, and regularly reevaluates potential risks to e- PHI.

The Fine Line Between HIPAA Data and Research Data The data elements may be the same or similar, however different laws regulate each. Breach reporting requirements are different. However, both types of data should be given the same levels of protection.

Enough Legal Jibberish, How Should I Secure My Data? Follow Campus Security Policies Conduct/update risk assessment of your systems/data Document, document, document!! Store data on a centrally managed server Physical Security, Access Controls, Backups, etc. Encrypt your laptops/workstations that process sensitive data Put server behind SOM or ITS firewall Use encryption technology on your data PGP Netshare, TrueCrypt, MS SQL TDE, etc.

Cloud Computing Public Clouds (Google Docs, Drop Box, Carbonite, Mozy, icloud, etc.) Okay to use for non-sensitive data Prohibited for sensitive data unless Signed Business Associates Agreement (BAA) approved by Office of University Counsel in place. Iron Mountain is currently only company that has signed one. Private Cloud (UNC NAS) Not currently approved for sensitive data

Questions?

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information