Healthcare Compliance Solutions

Similar documents
Healthcare Compliance Solutions

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

SECURITY RISK ASSESSMENT SUMMARY

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS

HIPAA Compliance Guide

HIPAA Information Security Overview

Datto Compliance 101 1

HIPAA Audit Processes HIPAA Audit Processes. Erik Hafkey Rainer Waedlich

HIPAA Security Checklist

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

HIPAA Security Matrix

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

VMware vcloud Air HIPAA Matrix

HIPAA Security Rule Compliance

HIPAA Compliance Guide

HIPAA Security Alert

PRIVACY POLICIES AND FORMS FOR BUSINESS ASSOCIATES

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

HIPAA Compliance: Are you prepared for the new regulatory changes?

RAYSAFE S1 SECURITY WHITEPAPER VERSION B. RaySafe S1 SECURITY WHITEPAPER

IBM Internet Security Systems. The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview

HIPAA PRIVACY AND SECURITY FOR EMPLOYERS

SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION

Securing the FOSS VistA Stack HIPAA Baseline Discussion. Jack L. Shaffer, Jr. Chief Operations Officer

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

UNIVERSITY OF CALIFORNIA, SANTA CRUZ 2015 HIPAA Security Rule Compliance Workbook

HIPAA Privacy & Security White Paper

Privacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by:

HIPAA Security Series

HIPAA/HITECH: A Guide for IT Service Providers

Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE

How To Write A Health Care Security Rule For A University

State HIPAA Security Policy State of Connecticut

HIPAA Security COMPLIANCE Checklist For Employers

HIPAA Security. assistance with implementation of the. security standards. This series aims to

HIPAA Security Rule Compliance and Health Care Information Protection

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

An Oracle White Paper December Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance

Using Data Encryption to Achieve HIPAA Safe Harbor in the Cloud

Krengel Technology HIPAA Policies and Documentation

HIPAA Security. 5 Security Standards: Organizational, Policies. Security Topics. and Procedures and Documentation Requirements

Overview of the HIPAA Security Rule

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

How Managed File Transfer Addresses HIPAA Requirements for ephi

Policies and Compliance Guide

WHITE PAPER. Support for the HIPAA Security Rule RadWhere 3.0

Welcome to part 2 of the HIPAA Security Administrative Safeguards presentation. This presentation covers information access management, security

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

White Paper. Support for the HIPAA Security Rule PowerScribe 360

WHITEPAPER XMEDIUSFAX CLOUD FOR HEALTHCARE AND HIPAA COMPLIANCE

Support for the HIPAA Security Rule

HIPAA COMPLIANCE AND

Ensuring HIPAA Compliance with eztechdirect Online Backup and Archiving Services

HIPAA: In Plain English

An Effective MSP Approach Towards HIPAA Compliance

C.T. Hellmuth & Associates, Inc.

Security Is Everyone s Concern:

HIPAA Security. Jeanne Smythe, UNC-CH Jack McCoy, ECU Chad Bebout, UNC-CH Doug Brown, UNC-CH

itrust Medical Records System: Requirements for Technical Safeguards

Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, :15pm 3:30pm

Protecting Patient Information in an Electronic Environment- New HIPAA Requirements

HIPAA Security and HITECH Compliance Checklist

Ensuring HIPAA Compliance with AcclaimVault Online Backup and Archiving Services

M E M O R A N D U M. Definitions

HIPAA and HITECH Regulations

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

CHIS, Inc. Privacy General Guidelines

Please Read. Apgar & Associates, LLC apgarandassoc.com P. O. Box Portland, OR Fax

Bridging the HIPAA/HITECH Compliance Gap

Safeguarding Data Using Encryption. Matthew Scholl & Andrew Regenscheid Computer Security Division, ITL, NIST

Ensuring HIPAA Compliance with Pros 4 Technology Online Backup and Archiving Services

HIPAA Compliance The Time is Now Changes on the Horizon: The Final Regulations on Privacy and Security. May 7, 2013

HEALTH CARE ADVISORY

HIPAA HANDBOOK. Keeping your backup HIPAA-compliant

HIPAA and Mental Health Privacy:

Privacy and Security Meaningful Use Requirement HIPAA Readiness Review

The second section of the HIPAA Security Rule is related to physical safeguards. Physical safeguards are physical measures, policies and procedures

WHITE PAPER. HIPPA Compliance and Secure Online Data Backup and Disaster Recovery

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009

A Technical Template for HIPAA Security Compliance

Ensuring HIPAA Compliance with Computer BYTES Online Backup and Archiving Services

New privacy and security requirements increase potential legal liability and jeopardize brand reputation.

HIPAA PRIVACY AND SECURITY AWARENESS

HIPAA Compliance and the Protection of Patient Health Information

Huseman Health Law Group 3733 University Blvd. West, Suite 305-A Jacksonville, Florida Telephone (904) Facsimile (904)

ITUS Med Solutions. HITECH & HIPAA Compliance Guide

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

WHITE PAPER. HIPAA-Compliant Data Backup and Disaster Recovery

Joseph Suchocki HIPAA Compliance 2015

AOA HIPAA SECURITY REGULATION COMPLIANCE MANUAL

ITS HIPAA Security Compliance Recommendations

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security. Topics

Health Insurance Portability and Accountability Act Enterprise Compliance Auditing & Reporting ECAR for HIPAA Technical Product Overview Whitepaper

efolder White Paper: HIPAA Compliance

Transcription:

Privacy Compliance Healthcare Compliance Solutions Trust and privacy are essential for building meaningful human relationships.

Let Protected Trust be your Safe Harbor The U.S. Department of Health and Human Services issued a final omnibus rule in January 2013 that strengthened the privacy and security protections for health information established under the Health Insurance Portability and Accountability Act (HIPAA). Initial HIPAA privacy and security rules focused on covered entities (which include healthcare providers, health plans, and healthcare clearinghouses). Now the changes expand many of the requirements to business associates (which help covered entities carry out their health care activities and functions). Penalties are increased for noncompliance based on the level of negligence, with a maximum penalty of $1.5 million per violation. The changes also strengthen the Health Information Technology for Economic and Clinical Health (HITECH) Act breach notification requirements by clarifying when breaches of unsecured protected health information must be reported to HHS. HITECH Act. Penalties: General failure to comply is $100 per penalty; violations of an identical requirement may not exceed $25,000 per year. More severe penalties also apply to more important HIPAA violations resulting in a $25,000 to $50,000 and punishable with one to ten years imprisonment. Under HITECH, Health and Human Services issues regulations requiring notifications of breaches for unsecured protected health information. Only encryption and destruction are approved methods to render this information secure. Basic access controls and firewalls are not enough. While HITECH does not require encryption for protected health information, the act s breach notification rule includes a safe harbor that exempts the reporting of breaches if the data involved was properly encrypted. Keeping this information secure in transit over electronic networks is also critical to complying with the safe harbor provision. Appropriate steps must be taken to ensure that protected health information sent through email or other networks remains secure. Encryption of email messages in an easy way to ensure the security of this information in transit and at rest. More than just a Vendor As the final omnibus rule makes clear, HIPAA applies to covered entities and business associates. Both must comply with requirements to protect the privacy and security of health information. Business associates must maintain reasonable and appropriate security practices and follow the same regulations as the covered entities with which they work. Our guiding principles focus on the privacy of personal information and on the right to securely communicate. We care about protecting information in your email. This is what forms trust. Ingram Leedy @protectedtrust On the following pages you will find a detailed explanation of our safeguards and controls to help you comply with HITECH and HIPAA requirements.

Protected Trust Email Encryption s response to the HIPAA Administrative Simplification Code of Federal Regulations, Title 45, Part 164: & Privacy Organizational Requirements (see 164.314) 164.314(a)(1) Business associate contracts or other arrangements Business associate contracts Protected Trust implements administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that a covered entity creates, receives, maintains, and transmits thru the Protected Trust service. Technical Safeguards (see 164.312) 164.312(a)(1) Control Unique User Identification Emergency Procedure Automatic Logoff Encryption and Decryption Use of unique user identification and authorization for registered users. Unregistered user identification policy options: Phone verification using SMS or voice verification code Shared secret or passphrase (e.g. account number, password, identifiable information) Email address only verification Protected email communications can be accessed from any location via secure Internet connection with the proper security authorization. Use of policy controlled automatic inactivity logoff for private and public workstations. Encryption technologies are used with one or more cryptographic keys to encrypt and decrypt data at rest and at transit. Key is based on NIST SP 800-57. Additionally, Transport Layer (TLS) cryptographic protocols are used for all transport communications security. 164.312(b) Audit Control - Detailed audit reports are available of use, delivery, logins, and inactivity. 164.312(c)(1) 164.312(d) 164.312(e)(1) Integrity Person or Entity Authentication Transmission Mechanism to Authenticate ephi - Integrity Controls Encryption Cryptographic hashing technologies ensure that information in transit and at rest have not been altered or destroyed in an unauthorized manner. Use of unique user identification and authorization for registered users. Unregistered user identification policy options: Phone verification using SMS or voice verification code Shared secret or passphrase (e.g. account number, password, identifiable information) Email address only verification Cryptographic hashing technologies ensure that information in transit and at rest have not been altered or destroyed in an unauthorized manner. The Advanced Encryption Standard (AES) specifies a FIPS-approved (FIPS PUB 197) cryptographic algorithm used to protect electronic data. The AES algorithm is a symmetric block cipher that can encrypt (encipher) and decrypt (decipher) information. The AES algorithm uses a cryptographic key of 256 bits to encrypt and decrypt data. Physical Safeguards (see 164.310) 164.310(a)(1) 164.310(d)(1) Facility Controls Device and media controls Contingency operations Facility Plan control and validation procedures Maintenance records Disposal Media re-use Accountability Data backup and storage Protected Trust has established policies and procedures to that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode plan in the event of an emergency. Protected Trust has implemented policies and procedures to safeguard the facilities and equipment from unauthorized physical access, tampering, and theft. Protected Trust has implemented procedures to control and validate personnel access to facilities based on their role and function, including visitor control, and control of access to software systems. Protected Trust has implemented policies and procedures to document repairs and modifications to the physical components of facilities which are related to security. Protected Trust implements policies and procedures to address the final disposition of electronic protected health information, and the hardware and electronic media on which it is stored. Protected Trust has implemented procedures for removal of electronic protected health information from electronic media before the media is made for re-use. Protected Trust maintains records of the movements of hardware, electronic media, and personnel. Protected Trust can create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment.

Administrative Safeguards (see 164.308) 164.308(a)(1) 164.308(a)(2) 164.308(a)(3) 164.308(a)(4) 164.308(a)(5) 164.308(a)(6) 164.308(a)(7) Process Assigned Responsibility Workforce Information Awareness and Training Incident Procedures Contingency Plan Risk Analysis Risk We place great emphasis on information security and privacy. We have developed a robust, multi-faceted information risk and security program, which incorporates world-class security practices and operating procedures. With the commitment of top-level management, we have put in place a strong security organization using international standards to guide policy development from which crucial security processes are identified. Sanction Policy Protected Trust works with the CE to comply with their sanction policies and procedures. Information System Activity Review - Authorization and/or Supervision Workforce Clearance Procedure Termination Procedures Isolating Health care Clearinghouse Function Authorization Establishment and Modification Reminders Malicious Software Protection Log-in Monitoring Password Response and Reporting Data Backup Plan Disaster Recovery Plan Emergency Mode Operation Plan Testing and Revision Procedure Applications and Data Criticality Analysis 164.308(a)(8) Evaluation - 164.308(b)(1) B.A. Contracts and Other Arrangement Written Contract or Other Arrangement Protected Trust provides comprehensive reports of activity and regular review of system activity, such as audit logs, access reports, and security incident tracking reports. Protected Trust personnel will work with the CE s Officer to ensure that data protection policies adhere to the policy and procedures of the CE. Protected Trust services are designed to ensure that only those personnel with appropriate application rights have access to ephi. Protected Trust ensures our personnel have proper security screening and clearance. As a part of the CE s termination procedures, Protected Trust and service solutions allow authorized CE personnel to de-authorize access to electronic protected health information of CE s employees. Additionally, Protected Trust implements procedures and policies for terminating personnel. Protected Trust and service allows the CE to isolate data protection to authorized personnel and protect the electronic protected health information from the larger organization. Protected Trust and service allow the CE to implement policies and procedures for granting access to electronic protected health information. Protected Trust and service allow the CE to implement policies and procedures for granting and modifying a user s access to electronic protected health information and encryption protection. Protected Trust will participate in a CE s periodic security updates on an as needed basis. Protected Trust maintains procedures for guarding against, detecting, and reporting from malicious software. Protected Trust records log on activity. This activity information can be provided to the covered entity as needed. Protected Trust architecture is designed specifically so that only those personnel with appropriate rights as well as encryption passwords have access to ephi. Protected Trust continuously identifies, responds, and documents suspected or known security incidents and their outcomes. Protected Trust has implemented procedures to create and maintain backup copies of electronic protected health information. Protected Trust has established and implemented procedures to restore any loss of data. Protected Trust has established and implemented procedures to enable continuation of critical business processes for protection of security of electronic protected health information while operating in emergency mode. Protected Trust implements, periodically tests, and revises continuity plans. Protected Trust assesses the relative criticality of specific applications and data to support contingency plans. CE can contract with Protected Trust Professional Services for periodic evaluation of backed up data integrity and the recovery process. Protected Trust will work with the CE to provide assurances that appropriate safeguards are met through a written contract or other arrangements per applicable requirements of 164.314(a).

Protected Trust Architecture Sender Protected Storage Recipient protected symmetric key encrypted encrypted symmetric key Key A client may be in the form of Microsoft Outlook 2007, Microsoft Outlook 2010 (x32)/(x64) using the Protected Trust Email Encryption add-in or web-based portal for Microsoft Internet Explorer, Apple Safari, Google Chrome, or Mozilla Firefox browsers. Each (1) message is encrypted by the sending client with a (2) unique symmetric key to create (3) encrypted. The is sent to the (4) Protected Trust storage service and made available for the recipient until expiration. The sending client transfers the symmetric key to the (5) Protected Trust Email Encryption key management service and discards the original key. On proper recipient authentication and rights authorization, the encryption key is provided to the recipient and combined with the encrypted to reconstitute the original data. Copyright 2013 Protected Trust. All rights reserved. Protected Trust logos are registered trademarks of Protected Trust in United States and other countries. All other trademarks, service marks, registered marks, or registered service marks are property of their respective owners. Protected Trust reserves the right to change, modify, transfer or otherwise revise this publication without notice. May 2013

About Protected Trust Protected Trust brings to the market the synergy between several products and services focused on just one thing risk management for a company s digital assets. Protected Trust combines operational experience, a physically secure infrastructure, Cloud based managed services, and an expert culture of security and privacy. Protected Trust exists to protect the informational assets of businesses, helping them manage their risk and limit their exposure to liability and data misuse. The suite of products and services offered by Protected Trust is unique, focused intently on the privacy, security, and compliance of digital information assets. For information please, access https://, send us an email to info@ or call us on 863.594.1141 Copyright 2013 Protected Trust. All rights reserved. Protected Trust logos are registered trademarks of Protected Trust in United States and other countries. All other trademarks, service marks, registered marks, or registered service marks are property of their respective owners. Protected Trust reserves the right to change, modify, transfer or otherwise revise this publication without notice. May 2013

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information