Assessing Your HIPAA Compliance Risk



Similar documents
Overview of the HIPAA Security Rule

HIPAA Secure Now! How MSPs Can Profit From Selling HIPAA security services

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, :15pm 3:30pm

HIPAA Security. 6 Basics of Risk Analysis and Risk Management. Security Topics

Guidance on Risk Analysis Requirements under the HIPAA Security Rule

Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style.

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

HIPAA Update. Presented by: Melissa M. Zambri. June 25, 2014

Our Commitment to Information Security

CSF Support for HIPAA and NIST Implementation and Compliance

When HHS Calls, Will Your Plan Be HIPAA Compliant?

HIPAA Security Rule Compliance

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

Please Read. Apgar & Associates, LLC apgarandassoc.com P. O. Box Portland, OR Fax

HIPAA Security Alert

Healthcare and IT Working Together KY HFMA Spring Institute

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

The Impact of HIPAA and HITECH

HIPAA Compliance: Efficient Tools to Follow the Rules

HIPAA Security & Compliance

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

HIPAA and HITECH Compliance for Cloud Applications

Security Is Everyone s Concern:

Ethics, Privilege, and Practical Issues in Cloud Computing, Privacy, and Data Protection: HIPAA February 13, 2015

HIPAA in an Omnibus World. Presented by

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES

BUSINESS ASSOCIATE AGREEMENT. Recitals

The HIPAA Security Rule Primer Compliance Date: April 20, 2005

Conducting Your HIPAA Risk Analysis Top Ten Steps

Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and

CHIS, Inc. Privacy General Guidelines

Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance

What do you need to know?

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

HIPAA Cyber Security: Your Vendor is a Back Door to Your Server

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

Privacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by:

Preparing for the HIPAA Security Rule

The HIPAA Security Rule Primer A Guide For Mental Health Practitioners

HIPAA Enforcement. Emily Prehm, J.D. Office for Civil Rights U.S. Department of Health and Human Services. December 18, 2013

IBM Internet Security Systems. The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview

HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers

HIPAA: Compliance Essentials

Nine Network Considerations in the New HIPAA Landscape

Arizona Physicians Group To Pay $100,000 To Settle HIPAA Charges

WHITEPAPER XMEDIUSFAX CLOUD FOR HEALTHCARE AND HIPAA COMPLIANCE

What is required of a compliant Risk Assessment?

Sustainable Compliance: A System for Ongoing Audit Readiness

North Carolina Health Information Management Association February 20, 2013 Chris Apgar, CISSP

The HIPAA Security Rule: Cloudy Skies Ahead?

HIPAA Compliance: Are you prepared for the new regulatory changes?

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

HIPAA Compliance Guide

Business Associate Management Methodology

B. For example, a health system could own a hospital, medical groups and DME supplier and designate them as an ACE.

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

My Docs Online HIPAA Compliance

Executive Order 13636: The Healthcare Sector and the Cybersecurity Framework. September 23, 2014

HIPAA Training for Hospice Staff and Volunteers

Lessons Learned from HIPAA Audits

Understanding HITRUST s Approach to Risk vs. Compliance-based Information Protection

OCR Reports on the Enforcement. Learning Objectives 4/1/2013. HIPAA Compliance/Enforcement (As of December 31, 2012) HCCA Compliance Institute

OCR Reports on the Enforcement. Learning Objectives

Compliance Challenges. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard. Increased Audits & On-site Investigations

HIPAA/HITECH: A Guide for IT Service Providers

6/17/2013 PRESENTED BY: Updates on HIPAA, Data, IT and Security Technology. June 25, 2013

New HIPAA regulations require action. Are you in compliance?

Need Assistance selecting an EMR/EHR? OCR Launches Full Scale HIPAA Audits in 2013 Are you ready for a HIPAA Audit?

Securing Patient Portals

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO

Securing the FOSS VistA Stack HIPAA Baseline Discussion. Jack L. Shaffer, Jr. Chief Operations Officer

HIPAA and Mental Health Privacy:

OCR UPDATE Breach Notification Rule & Business Associates (BA)

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

Am I a Business Associate? Do I want to be a Business Associate? What are my obligations?

Electronic Communication In Your Practice. How To Use & Mobile Devices While Maintaining Compliance & Security

Information Protection Framework: Data Security Compliance and Today s Healthcare Industry

Transcription:

Assessing Your HIPAA Compliance Risk Jennifer Kennedy, MA, BSN, RN, CHC National Hospice and Palliative Care Organization HIPAA Security Rule All electronic protected health information (PHI and EPHI) created, received, maintained or transmitted by a covered entity is subject to the Security Rule. Covered entities are required to implement reasonable and appropriate security measures to protect against reasonably anticipated threats or hazards to the security or integrity of PHI and EPHI. 1

First HIPAA breach settlement involving less than 500 patients Hospice of North Idaho settles HIPAA security case for $50,000 in 2013 This is the first settlement involving a breach of unsecured electronic protected health information (PHI) affecting fewer than 500 individuals The risk assessment requirement The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires that covered entities conduct a risk assessment of their healthcare organization to ensure it is compliant with HIPAA s administrative, physical, and technical safeguards A risk assessment also helps reveal areas where your organization s protected health information (PHI and EPHI) could be at risk 2

RISK ASSESSMENT PRINCIPLES Identify the Scope of the Analysis The risk analysis scope that the Security Rule requires is the potential risks and vulnerabilities to the confidentiality, availability and integrity of all PHI that a covered entity creates, receives, maintains, or transmits This includes PHI in all forms Electronic Hard copy 3

Gather data Gather relevant data on PHI You must identify where your PHI and EPHI is stored, received, maintained or transmitted Hard copy files Desktop computers Laptop computers Mobile devices Servers Identify and Document Potential Threats and Vulnerabilities Identify potential threats and vulnerabilities to the confidentiality, availability and integrity of the PHI and EPHI The potential for a threat to trigger a specific vulnerability creates risk identification of threats and vulnerabilities are central to determining the level of risk 4

Identify and document threats Identify and document reasonably anticipated threats to PHI and EPHI Compile a categorized list of threats Natural, human, environmental Identify different threats unique to the circumstances of their environment Determine likelihood of threats Determine the potential impact of threat occurrence Identify and document vulnerabilities Create a list of vulnerabilities, both technical and non technical, associated with existing information systems and operations that involve PHI and EPHI Non technical vulnerabilities may include previous risk analysis documentation, audit reports or security review reports Technical vulnerabilities may include assessments of information systems, information system security testing, or publicly available vulnerability lists and advisories 5

Assess Current Security Measures Goal: to analyze current security measures implemented to minimize or eliminate risks to PHI and EPHI Technical measures Access controls, identification, authentication, encryption methods, automatic logoff Non technical measures management and operational controls, such as policies, procedures, standards, guidelines, accountability and responsibility, and physical and environmental security measures TIME TO MANAGE YOUR RISK 6

Risk Management Steps 1. Develop and implement a risk management plan Purpose of a risk management plan is to provide structure for your evaluation, prioritization, and implementation of risk reducing security measures 2. Implement security measures Actual implementation of security measures (both technical and non technical) within the covered entity Risk Management Steps 3. Evaluate and maintain security measures Continue evaluating and monitoring the risk mitigation measures implemented Risk analysis and risk management are ongoing, dynamic processes that must be periodically reviewed and updated in response to changes in the environment 7

Coming soon! HIPAA security best practices New webpage Tools and resources Education videos Watch the NHPCO webpage and NewsBriefs for updates Questions NHPCO members enjoy unlimited access to Regulatory Assistance Feel free to email questions to regulatory@nhpco.org 1 6 8

Regulatory and Compliance Team at NHPCO Jennifer Kennedy, MA, BSN, RN,CHC Director, Regulatory and Compliance Judi Lund Person, MPH Vice President, Compliance and Regulatory Leadership Email us at: regulatory@nhpco.org 1 7 Resources CMS Basics of Risk Analysis and Risk Management http://www.hhs.gov/ocr/privacy/hipaa/administrativ e/securityrule/riskassessment.pdf HHS/ OCR Final Guidance on Risk Analysis http://www.hhs.gov/ocr/privacy/hipaa/administrativ e/securityrule/rafinalintro.html 1 8 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information