HIPAA Security & Compliance



Similar documents
Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style.

Lessons Learned from HIPAA Audits

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

Privacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by:

Sustainable Compliance: A System for Ongoing Audit Readiness

Art Gross President & CEO HIPAA Secure Now! How to Prepare for the 2015 HIPAA Audits and Avoid Data Breaches

Security Controls What Works. Southside Virginia Community College: Security Awareness

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

InfoGard Healthcare Services InfoGard Laboratories Inc.

Healthcare and IT Working Together KY HFMA Spring Institute

HIPAA Compliance: Are you prepared for the new regulatory changes?

Nine Network Considerations in the New HIPAA Landscape

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

What s new In the News Data Breach Discussion The 5 W s Risk Analysis: Why, What, how, When, and Who Common Issues Observed Q / A Session Purdue

Are You Ready for an OCR Audit? Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS. What would you do? Session Objectives

DATA SECURITY HACKS, HIPAA AND HUMAN RISKS

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

Checklist for HIPAA/HITECH Compliance Best Practices for Healthcare Information Security

When HHS Calls, Will Your Plan Be HIPAA Compliant?

What s New with HIPAA? Policy and Enforcement Update

Assessing Your HIPAA Compliance Risk

HIPAA Security Rule Compliance

HIPAA/HITECH Compliance Using VMware vcloud Air

OCR Reports on the Enforcement. Learning Objectives 4/1/2013. HIPAA Compliance/Enforcement (As of December 31, 2012) HCCA Compliance Institute

OCR Reports on the Enforcement. Learning Objectives

HIPAA Compliance: Efficient Tools to Follow the Rules

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

Preparing for the HIPAA Security Rule

Information Blue Valley Schools FEBRUARY 2015

CYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION. Robert N. Young, Director Carruthers & Roth, P.A. rny@crlaw.com Phone: (336)

Data Breach and Senior Living Communities May 29, 2015

Security Is Everyone s Concern:

HIPAA Audits: How to Be Prepared. Lindsey Wiley, MHA, CHTS-IM, CHTS-TS HIT Manager Oklahoma Foundation for Medical Quality

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance

Healthcare IT Compliance Service. Services > Overview MaaS360 Healthcare IT Compliance Service

The CIO s Guide to HIPAA Compliant Text Messaging

Outline. Outline. What is HIPAA? I. HIPAA Compliance II. Why Should You Care? III. What Should You Do Now?

Implementing Electronic Medical Records (EMR): Mitigate Security Risks and Create Peace of Mind

UF IT Risk Assessment Standard

INCIDENT RESPONSE CHECKLIST

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

Healthcare in the Crosshairs for Data Breaches. April 22, Deborah Hiser (512)

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

External Supplier Control Requirements

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

North Carolina Health Information Management Association February 20, 2013 Chris Apgar, CISSP

HIPAA: Bigger and More Annoying

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing

Discussion on Network Security & Privacy Liability Exposures and Insurance

Please Read. Apgar & Associates, LLC apgarandassoc.com P. O. Box Portland, OR Fax

Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS. Session Objectives. Introduction Tom Walsh

Data Breach Response Planning: Laying the Right Foundation

Health Information Privacy Refresher Training. March 2013

NEW PERSPECTIVES. Professional Fee Coding Audit: The Basics. Learn how to do these invaluable audits page 16

Ready for an OCR Audit? Will you pass or fail an OCR security audit? Tom Walsh, CISSP

Information Technology General Controls And Best Practices

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

How To Understand And Understand The Benefits Of A Health Insurance Risk Assessment

Research Information Security Guideline

Data Security Considerations for Research

AUSTIN INDEPENDENT SCHOOL DISTRICT INTERNAL AUDIT DEPARTMENT TRANSPORTATION AUDIT PROGRAM

HIPAA Secure Now! How MSPs Can Profit From Selling HIPAA security services

Belmont Savings Bank. Are there Hackers at the gate? 2013 Wolf & Company, P.C.

July 6, Mr. Michael L. Joseph Chairman of the Board Roswell Park Cancer Institute Elm & Carlton Streets Buffalo, NY 14263

Client Security Risk Assessment Questionnaire

CHIS, Inc. Privacy General Guidelines

Security Compliance, Vendor Questions, a Word on Encryption

Greenway Marketplace. Hear from GSG Compliance & White Plume November 14, 2013

Overview of the HIPAA Security Rule

OCR UPDATE Breach Notification Rule & Business Associates (BA)

A Technical Template for HIPAA Security Compliance

Transcription:

Creative Mind. Creative Heart. Creative Care. 2014 WALA Spring Conference HIPAA Security & Compliance Jeff Grady Thursday, March 27 10:30 am

HIPAA Security & Compliance A TIME FOR ACTION Jeff Grady, Senior Director of Operations Three Pillars Technology Solutions LLC THURSDAY, MARCH 27, 2014 10:30 11:45 p.m. Breakout session Introduction Presenter background and information on Three Pillars Technology Benefits of WALA membership and their HIPAA Resource Guide Goals for this presentation Audience survey What has changed with HIPAA and why is it important? HIPAA (Health Insurance Portability and Accountability Act) a brief history and overview of it s evolution HIPAA was enacted by Congress in 1996 Privacy Rule and Security Rule ~ 2003 2006 HIPAA Enforcement Rule 2006 HIPAA/HITECH enacted in 2009 HIPAA/HITECH Final Omnibus Rule published in 1/2013 with a compliance deadline, for most of its provisions, of September 23, 2013 1

The Business Case for Compliance or Why Should I Care? http://www.alfa.org/news/3520/new HIPAA Rules Are Assisted Living Game Changer What are the potential risks and impact of non compliance? Risk of OCR Audit and Fines Willful Neglect Finding Costs of a PHI breach Loss of Goodwill and Reputation as a result of breach Protection of sensitive data has become an expectation of both your customers and business partners Then there s the ticking time bomb of HIPAA compliance RIN: 0945 AA04 Fines $1.7 Million to Alaska Department of Health and Human Services for Unencrypted USB Drive Stolen $1.5 million fine to Massachusetts Eye and Ear Infirmary for a data compromise involving a lost laptop $400,000 fine to Idaho State University for failing to maintain strong firewall configuration $50,000 to hospice in Idaho for lost unencrypted laptop $1.7 Million to WellPoint for not properly authorizing access to an online application database 2

Challenges to achieving best practice HIPAA compliance Attitudes of: HIPAA denial Complacent compliance or taking a Let s just wait and see approach The main objective is achieving regulatory compliance with your Policies and Procedure (a/k/a 3 Ring Binder Style Compliance) and neglecting your Security Practices o Creates very real danger of taking false comfort in what may be an illusion of compliance o Caveat: The best and most expensive and updated policies and procedures in the world, if not matched by practice implementation, will not prevent a PHI breach Typical Assessment Findings Risk Assessments are not complete, improperly conducted or up to date Organizations are mistaking Gap Analysis and/or Vulnerability Assessments for Risk Assessments Policies, Standards and Procedures on critical practices are not complete or none exist at all Goal # 1 Avoid Willful Neglect Seven (7) Basic HIPAA Compliance Health Check Questions Every Healthcare Covered Entity and Business Associate Needs to Ask Themselves 1. Have you conducted a legitimate HIPAA Risk Assessment which has been documented and is not outdated? 2. Do you have written and appropriately updated HIPAA Privacy and Security policies in place? 3. Have you designated an individual trained to function in the role of your HIPAA Privacy and Security Officer? 4. Do you have an ongoing, documented Risk Management program? 5. Does your organization have a documented HIPAA education, awareness and training program in operation? 6. Have you reviewed, revised and updated your Business Associate Agreements, as necessary? 7. Do you have a PHI (Protected Health Information) Breach occurrence and notification policy and process in place, and have you updated it to reflect changes made by the new HIPAA / HITECH rules? 3

Importance of the HIPAA Security Risk Assessment Wake Up!! it s no longer a Three Ring Binder Policy and Procedure compliance world DIY or Get Some Help Recommended Action Steps to Take 4

Compliance Assessment vs. Risk Assessment A Compliance Assessment is a gap analysis that identifies gaps in the organization on HIPAA Administrative, Physical and Technical specifications A Risk Assessment is more in depth and includes these elements in the report and work papers: o Threat Source List o Inventory Asset List o Risk Level of High, Medium and Low for each risk based on Likelihood and Impact scores o Likelihood determination for each risk o Impact determination for each risk Necessary Documents and Practices Access, Authorization and Authentication Controls Anti Malware Practices Application Development Practices Asset Classification and Sensitivity Practices Asset Management Practices Acquisition of New Company Practices Change Management Practices Configuration Management Practices Communications and Operations Management Computer System Acceptable Use Practices Data Backup Practices Data Retention Practices Disaster Recovery & Business Continuity Practices Encryption and Digital Signature Practices Incident Handling Practices Logging and Auditing Practices Organizational Security Policy Password Protection Practices Patch Management Practices Personnel Security Controls Practices Physical and Environmental Controls Remote Access and VPN Practices Risk Assessment Practices Security Awareness Practices Software Licensing Practices Data Leakage Protection Practices Develop an action plan and commence action Problem: Where to start? Solution: Management defines the policy Create the policy Conduct risk assessment based on policy Determine gaps and deficiencies Prioritize risks (i.e. per risk assessment) Approve projects to remediate and implement Commence ongoing review of policy, procedure and practices recognize that threats and risks change best practice security practice is dynamic not static 5

Recommended Next Steps Perform a Compliance Gap Assessment and check to ensure that your Risk Assessment is adequate and up to date Conduct a true and thorough Security Risk Assessment if you have not done so Budget for and implement controls based on findings in the Risk Assessment Thank You Three Pillars Technology Solutions LLC 2701 International Lane, Suite 201 Madison, WI 53704 www.threepillarstechnology.com 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information