View the Replay on YouTube. Sustainable HIPAA Compliance: Enhancing Your Epic Reporting. FairWarning Executive Webinar Series October 17, 2013



Similar documents
Sustainable HIPAA Compliance: Protecting Patient Privacy through Highly Leveraged Investments

Sustainable Compliance: A System for Ongoing Audit Readiness

Straight from the Source: HHS Tools for Avoiding Some of the Biggest HIPAA Mistakes

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

OIG Security Audit: What You Need To Know

HIPAA Security Risk Analysis for Meaningful Use

NEW PERSPECTIVES. Professional Fee Coding Audit: The Basics. Learn how to do these invaluable audits page 16

Meaningful Use Stage 2 & HIPAA: The Relationship between HIPAA and Meaningful Use Privacy & Security Regulations View the Replay on YouTube

View the Replay on YouTube

Our Commitment to Information Security

Compliance, Security and Risk Management Relationship Advice. Andrew Hicks, Director Coalfire

HIPAA and HITECH Compliance for Cloud Applications

Security and Privacy of Electronic Medical Records

HIPAA/HITECH: Conditional Access Management for Business Performance. Mark Seward, Director Security and Compliance Solutions Marketing

PrivacyPro ; A Key Component of Privacy Information Management Overview Whitepaper

SAMPLE. Certified Master Professional Training

Mobile Medical Devices and BYOD: Latest Legal Threat for Providers

Welcome to the Privacy and Security PowerPoint presentation in the Data Analytics Toolkit. This presentation will provide introductory information

Preparing for and Responding to an OCR HIPAA Audit

8/3/2015. Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice

HIT Audit Workshop. Jeffrey W. Short.

Carl Abramson Gerry Blass Susan A Miller

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, :15pm 3:30pm

HIPAA: Compliance Essentials

HIPAA Audits: How to Be Prepared. Lindsey Wiley, MHA, CHTS-IM, CHTS-TS HIT Manager Oklahoma Foundation for Medical Quality

A smarter way to protect your brand. Copyright 2012 Compliance 360 All Rights Reserved

Eric Moriak - CISSP, CISM, CGEIT, CISA, CIA Program Manager - IT Audit Children s Medical Center Dallas. Dallas, Texas

Information Protection Framework: Data Security Compliance and Today s Healthcare Industry

Privacy and Security Meaningful Use Requirement HIPAA Readiness Review

Healthcare IT (HIT) Strategic Planning & Budgeting MARCH 26, 2014

Ready for an OCR Audit? Will you pass or fail an OCR security audit? Tom Walsh, CISSP

InfoGard Healthcare Services InfoGard Laboratories Inc.

The Impact of HIPAA and HITECH

Meaningful Use and Security Risk Analysis

How to Use the NYeC Privacy and Security Toolkit V 1.1

How to prepare your organization for an OCR HIPAA audit

Interpreting the HIPAA Audit Protocol for Health Lawyers

Managing the Insider Threat: Real-time Monitoring of Access Patterns to ephi

SECURITY RISK ASSESSMENT SUMMARY

Meaningful Use Audits. NextGen Physician Consulting Services

Art Gross President & CEO HIPAA Secure Now! How to Prepare for the 2015 HIPAA Audits and Avoid Data Breaches

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

Santa Rosa Presents Webinar Series Electronic Health Records & Meaningful Use Incentives: Medicare & Medicaid

Securing Patient Portals. What You Need to Know to Comply With HIPAA Omnibus and Meaningful Use

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

Increasing Security Defenses in Cost-Sensitive Healthcare IT Environments

A PRACTICAL GUIDE TO USING ENCRYPTION FOR REDUCING HIPAA DATA BREACH RISK

HIPAA Security Overview of the Regulations

Nine Network Considerations in the New HIPAA Landscape

Overview of the HIPAA Security Rule

Privacy for Healthcare Data in the Cloud - Challenges and Best Practices

Compliance Plan Required for ACO Participation

Joe Dylewski President, ATMP Solutions

RSA SECURE WEB ACCESS FOR HEALTHCARE ENVIRONMENTS

National Institute of Standards and Technology. HIPAA Security Rule Toolkit. User Guide

How To Protect Your Health Care From Being Stolen From Your Computer Or Cell Phone

OCR HIPAA Audit Readiness. ISACA - North Texas Chapter April 11, 2013

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

Implementing Electronic Medical Records (EMR): Mitigate Security Risks and Create Peace of Mind

Security Is Everyone s Concern:

Preparing for HIPAA and Meaningful Use Compliance Audits

Sunday March 30, 2014, 9am noon HCCA Conference, San Diego

Document Imaging Solutions. The secure exchange of protected health information.

OCR/HHS HIPAA/HITECH Audit Preparation

Bridging the HIPAA/HITECH Compliance Gap

The Must Have Tools To Address Your Compliance Challenge

HIPAA Compliance: Are you prepared for the new regulatory changes?

COMPLIANCE ALERT 10-12

HIPAA 101. March 18, 2015 Webinar

A CPA recounts exponential growth in Compliance. Mary Ellen McLaughlin

What do you need to know?

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

HIPAA COMPLIANCE PLAN FOR 2013

Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style.

ALERT LOGIC FOR HIPAA COMPLIANCE

Secure Endpoint Management. Presented by Kinette Crain and Brad Lewis

2/9/ HIPAA Privacy and Security Audit Readiness. Table of contents

Solution Brief for HIPAA HIPAA. Publication Date: Jan 27, EventTracker 8815 Centre Park Drive, Columbia MD 21045

HIPAA in the Cloud How to Effectively Collaborate with Cloud Providers

Logging and Auditing in a Healthcare Environment

The OCR Audit Protocol a first look

Community First Health Plans Breach Notification for Unsecured PHI

Overview of Topics Covered

HIPAA Audits Are Here!

Establishing an Access Auditing Program. Cindy Matson, CHC, CHPC Chief Privacy Officer

HIPAA Happenings in Hospital Systems. Donna J Brock, RHIT System HIM Audit & Privacy Coordinator

Security and Privacy of Electronic Medical Records. White Paper

Somansa Data Security and Regulatory Compliance for Healthcare

Developing HIPAA Security Compliance. Trish Lugtu CPHIMS, CHP, CHSS Health IT Consultant

The HITECH Act: Implications to HIPAA Covered Entities and Business Associates. Linn F. Freedman, Esq.

Understanding HIPAA Regulations and How They Impact Your Organization!

How To Find Out What People Think About Hipaa Compliance

Reputation Management Surviving a HIPAA Breach or Audit

Checklist for HIPAA/HITECH Compliance Best Practices for Healthcare Information Security

Welcome to part 2 of the HIPAA Security Administrative Safeguards presentation. This presentation covers information access management, security

HIPAA Secure Now! How MSPs Can Profit From Selling HIPAA security services

HIPAA Privacy, Security, Breach, and Meaningful Use. CHUG October 2012

North Carolina Health Information Management Association February 20, 2013 Chris Apgar, CISSP

Transcription:

View the Replay on YouTube Sustainable HIPAA Compliance: Enhancing Your Epic Reporting FairWarning Executive Webinar Series October 17, 2013

Today s Panel Chris Arnold FairWarning VP of Product Management Chris@FairWarning.com Chuck Burbank FairWarning Director of Managed Services Chuck@FairWarning.com Kurt J. Long FairWarning Founder Kurt@FairWarning.com

FairWarning and Epic Production Customers 44 Production Customers 10,267 employees on average, 2,500 to 60,000 On average 1,300 physicians across 6 hospitals and 36 clinics Moving from legacy EHR to Epic for Meaningful Use Converting from paper to Electronic Health Records 3 applications in addition to Epic Several are monitoring 12-16 additional applications that touch PHI 17 of 44 customers are using DLP or SIEM in cooperation with FairWarning Patient Privacy Monitoring

Agenda Motivations for Compliance and Privacy Key Elements for Sustainable Compliance User Activity Monitoring in a KPMG/OCR HIPAA Audit Lessons Learned from Epic Based Environments Hands-on Demonstration FairWarning Achievement & Educational Programs Q&A

Sources: New London Consulting US Survey; Ponemon Study; HHS.gov; OCR NIST Presentation on Security Compliance Impacting Outcomes, Revenue and Lives Why Compliance & Privacy Matters 27% of US patients withhold medical information due to privacy concerns COMPLIANCE: User Activity Monitoring found to be #1 deficiency in 115 HIPAA pilot audits according to Office for Civil Rights More than 100,000 care providers have adopted EHRs and realize payments under Meaningful Use REPUTATION: 85% of patients indicate that a care provider s reputation for protecting privacy influences their choice to seek care from that provider FINANCIAL DAMAGE: An estimated average of 2 million Americans are victims of medical identity theft yearly, with an estimated total cost of $41 billion

Regulatory Framework for HIPAA Compliance HIPAA Audit Protocol User Activity Monitoring 2014 OCR HIPAA Enforcement #1 Security Gap from Pilot Audits Patient Privacy Monitoring ARRA HITECH Meaningful-Use Electronic Health Records Audit Logs Required Security Risk Analysis / Correct Deficiencies Protect Your Reputation Position Yourself for HIPAA Compliance

Sustainable HIPAA Compliance for User Activity Monitoring Written appropriate access policies Documented sanctioning program Automated enforcement of access policies Proactive alerting Consistent and documented investigation Governance and audit reporting Patient notification and governmental reporting

HIPAA Audit Protocol FairWarning 3.1 Maps Directly to OCR HIPAA Audit Protocol Security Requirements HIPAA Security Rule Established Performance Criteria Key Activity Audit Procedures FairWarning Solution 164.308 164.308(a)(1)(ii)(D): Security Management Process - Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. Develop and Deploy the Information System Activity Review Process Inquire of management as to whether formal or informal policy and procedures exist to review information system activities; such as audit logs, access reports, and security incident tracking reports. Obtain and review formal or informal policy and procedures and evaluate the content in relation to specified performance criteria to determine if an appropriate review process is in place of information system activities. Obtain evidence for a sample of instances showing implementation of covered entity review practices Determine if the covered entity policy and procedures have been approved and updated on a periodic basis. FairWarning Analytics and Reports enable reviewing of information system activity, such as audit logs and access reports. FairWarning Investigations centralize management and tracking of security incidents. 164.312 164.312(b) Audit controls. Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. Determine the Activities that Will be Tracked or Audited Inquire of management as to whether audit controls have been implemented over information systems that contain or use ephi. Obtain and review documentation relative to the specified criteria to determine whether audit controls have been implemented over information systems that contain or use ephi. FairWarning Analytics record and examine activity in systems with ephi. These Analytics can then be automated as Enforced Policies to proactively alert users of any activity that is being tracked or audited.

HIPAA Audit Protocol FairWarning 3.1 Maps Directly to OCR Audit Protocol HIPAA Security Requirements HIPAA Security Rule Established Performance Criteria Key Activity Audit Procedures FairWarning Solution 164.312 164.312(b) Audit Controls - Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. Select the Tools that Will be Deployed for Auditing and System Activity Reviews Inquire of management as to whether systems and applications have been evaluated to determine whether upgrades are necessary to implement audit capabilities. Obtain and review documentation of tools or applications that management has identified to capture the appropriate audit information. FairWarning s Ready Programs maps to and supports over 185 applications that touch ephi. Nearly 50 applications have been fully certified by FairWarning to provide the necessary data to effectively audit access to ephi. 164.312 164.312(b) Audit Controls - Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. Develop and Deploy the Information System Activity Review/Audit Policy Inquire of management as to whether a formal or informal audit policy is in place to communicate the details of the entity's audits and reviews to the work force. Obtain and review formal or informal policies and procedures and evaluate the content in relation to the specified criteria to understand whether a formal audit policy is in place to communicate the details of the entity's audits and reviews to the work force. Obtain and review an email, or some form of communication, showing that the audit policy is communicated to the work force. Alternatively, a screenshot of the audit policy located on the entity's intranet would suffice. The FairWarning Implementation Toolkit is an open copyright best practices guide on how other customers implemented formal audit policies and how to communicate that to the work force. 164.312 164.312(b) Audit Controls - Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. Develop Appropriate Standard Operating Procedures Inquire of management as to whether procedures are in place on the systems and applications to be audited and how they will be audited. Obtain and review management's procedures in place to determine the systems and applications to be audited and how they will be audited. FairWarning centralizes where and how applications are audited. All systems touching ephi can be audited through the FairWarning Analytics and Reports. These audits can be automated as Enforced Policies and all investigations can be centrally managed within the product. Governance and dashboard reports give executive views of the effectiveness of the policies being enforced.

What OCR Wants to See Written privacy and security policy and procedures Evidence that you are following these policies and procedures Review sample investigation, written sanctions and other means by which you respond to identified breaches

Most Common FairWarning Policies for an Epic Environment Quick Reports Activity Access Reports Break the Glass Access Co-worker and Employee Snooping Activity Reports Deceased and Discharged Patient Access Activity Report Neighbor Snooping Activity Report Simultaneous Logins Activity Report VIP Access Activity Report

FairWarning Ready For predictable, consistent implementations Audit Logs Authoritative User Data Advanced Patient data

Certified Solution Considerations Performance Optional filtering of audit events Primary Care Physician data available Active Directory integration Audit log consolidation

FAIRWARNING DEMO

Enabling Sustainable HIPAA Compliance Compliance Dashboard Measurement of patient privacy monitoring and compliance effectiveness Privacy Dashboard- Recent investigations, enforced policies, alerts and privacy reports Robust collaborative investigations - Document the legally defensible position of the care provider OCR HIPAA Audit Protocol Direct mapping to 5 major areas in Audit Control and Systems Activity Review Wide-scale support for FairWarning Ready - Instant compatibility with every major EHR and over 185 applications used in healthcare Analytics Library - Point and click best practice analytics, reports and administration

FairWarning Achievement & Educational Programs www.privacyexcellenceawards.com

Contact Information Chris Arnold FairWarning VP of Product Management Chris@FairWarning.com Chuck Burbank FairWarning Director of Managed Services Chuck@FairWarning.com Kurt J. Long FairWarning Founder Kurt@FairWarning.com @FairWarningInc

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information