HIPAA DATA SECURITY & PRIVACY COMPLIANCE



Similar documents
isheriff CLOUD SECURITY

INTRODUCING isheriff CLOUD SECURITY

HIPAA, PHI and . How to Ensure your and Other ephi are HIPAA Compliant.

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

HIPAA Compliance Guide

HIPAA Compliance Guide

HIPAA and HITECH Compliance for Cloud Applications

MANAGED FILE TRANSFER: 10 STEPS TO HIPAA/HITECH COMPLIANCE

HIPAA COMPLIANCE AND

HIPAA Security Rule Compliance

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

The Advantages of Security as a Service versus On-Premise Security

HIPAA PRIVACY AND SECURITY AWARENESS

Datto Compliance 101 1

The Basics of HIPAA Privacy and Security and HITECH

WHITEPAPER XMEDIUSFAX CLOUD FOR HEALTHCARE AND HIPAA COMPLIANCE

Why Encryption is Essential to the Safety of Your Business

What Virginia s Free Clinics Need to Know About HIPAA and HITECH

The Impact of HIPAA and HITECH

HIPAA Compliance and the Protection of Patient Health Information

ITUS Med Solutions. HITECH & HIPAA Compliance Guide

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

HIPAA and Mental Health Privacy:

CHIS, Inc. Privacy General Guidelines

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

My Docs Online HIPAA Compliance

Donna S. Sheperis, PhD, LPC, NCC, CCMHC, ACS Sue Sadik, PhD, LPC, NCC, BC-HSP Carl Sheperis, PhD, LPC, NCC, MAC, ACS

HIPAA The Law Explained. Click here to view the HIPAA information.

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

HIPAA Security Alert

HIPAA Security Education. Updated May 2016

How to use the Alertsec Service to Achieve HIPAA Compliance for Your Organization

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

The HIPAA Security Rule Primer Compliance Date: April 20, 2005

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

Symantec Protection Suite Add-On for Hosted and Web Security

COMPLIANCE ALERT 10-12

A Websense Research Brief Prevent Data Loss and Comply with Payment Card Industry Data Security Standards

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

The HIPAA Security Rule Primer A Guide For Mental Health Practitioners

HIPAA 100 Training Manual Table of Contents. V. A Word About Business Associate Agreements 10

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

HIPAA Omnibus Compliance How A Data Loss Prevention Solution Can Help

For more information on how to build a HIPAA-compliant wireless network with Lutrum, please contact us today!

plantemoran.com What School Personnel Administrators Need to know

Healthcare IT Compliance Service. Services > Overview MaaS360 Healthcare IT Compliance Service

Somansa Data Security and Regulatory Compliance for Healthcare

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

Policy Title: HIPAA Security Awareness and Training

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO

Procedure Title: TennDent HIPAA Security Awareness and Training

Healthcare Compliance Solutions

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, :15pm 3:30pm

THE IMPORTANCE OF ENCRYPTION IN THE HEALTHCARE INDUSTRY

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

PHI- Protected Health Information

ALERT LOGIC FOR HIPAA COMPLIANCE

efolder White Paper: HIPAA Compliance

HIPAA, HIPAA Hi-TECH and HIPAA Omnibus Rule

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009

Did you know your security solution can help with PCI compliance too?

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES

Information Security Policy

Ensuring HIPAA Compliance with Pros 4 Technology Online Backup and Archiving Services

Ensuring HIPAA Compliance with AcclaimVault Online Backup and Archiving Services

HIPAA Privacy & Security White Paper

Patient Privacy and HIPAA/HITECH

Texas House Bill 300 & HIPAA. A MainNerve Whitepaper

California State University, Sacramento INFORMATION SECURITY PROGRAM

Securing enterprise collaboration through and file sharing on a unified platform

HIPAA Secure Now! How MSPs Can Profit From Selling HIPAA security services

SecureAge SecureDs Data Breach Prevention Solution

Transcription:

HIPAA DATA SECURITY & PRIVACY COMPLIANCE This paper explores how isheriff Cloud Security enables organizations to meet HIPAA compliance requirements with technology and real-time data identification. Learn more by visiting 2014 isheriff. isheriff is a registered trademark of isheriff. All other trademarks are the property of their respective owners. Specifications subject to change without notice. All rights reserved.

Introduction This white paper examines the data security and privacy compliance requirements of the Healthcare Insurance Portability and Accountability Act (HIPAA). It examines the purpose and objectives of specific portions of the Act related to information security and the privacy of data transfers and communications. Finally, this paper explores how isheriff Cloud Security enables organizations to meet HIPAA compliance requirements with technology and real-time data identification. The Healthcare Insurance Portability and Accountability Act is US federal law, enacted in 1996. IT ADDRESSES: a) Healthcare insurance access, portability of healthcare insurance from one employer to another and affects the exclusion period for certain pre-existing health conditions when enrolled in a group health plan. b) Civil and criminal penalties for healthcare related offences such as fraud. c) Standards for improving the efficiency of healthcare administration and how health information is disseminated. d) Data security and privacy standards for Protected Health Information (PHI) and Electronic Protected Health Information ORGANIZATIONS AFFECTED BY HIPAA HIPAA affects any organization in the US handling Protected Health Information. Typically, organizations that handle PHI are issued with a National Provider Identifier (NPI) number by the Centers for Medicare and Medicade Services (CMS). Organizations required to comply with HIPAA regulations are termed covered entities. COMMON EXAMPLES OF COVERED ENTITIES INCLUDE: Health insurers Healthcare clearing houses» Hospitals Nursing homes Pharmacies Laboratories Physicians, physiotherapists and general practitioner s offices HIPAA REQUIREMENTS HIPAA stipulates a range of requirements for organizations handing healthcare insurance and PHI. This white paper is primarily concerned with HIPAA requirements governing data security and privacy. HIPAA IS STRUCTURED IN THREE MAIN AREAS: 1: TITLE I - HEALTHCARE ACCESS Title I regulates the availability of healthcare insurance and the portability of insurance across employers and group healthcare plans. note: this white paper does not address this area of the Act in detail. 2: TITLE II - FRAUD, PRIVACY, SECURITY AND ADMINISTRATION Title II defines various offences relating to healthcare such as fraud and sets criminal and civil penalties for these crimes. It also stipulates a series of standards and controls regarding the handling of PHI, termed Administrative Simplification. Title II sets out five rules regarding Administrative Simplification: 1) PRIVACY RULE - regulates the use and disclosure of PHI by covered entities, e.g.:

a) Covered entities must ensure the confidentiality of communications with individuals. b) Covered entities must disclose PHI to the individual concerned within 30 days upon request. c) Covered entities must make reasonable efforts to disclose only the minimum necessary information required to achieve its purpose, after authorization is obtained from the individual. d) Covered entities are required to notify an Individual of users of their PHI. They must also keep a record of who PHI has been disclosed to, what was disclosed and when. e) Covered entities must appoint a Privacy Official responsible for establishing PHI security policies and procedures internally, be the contact point for PHI-related complaints and be responsible for internal workforce training for procedures relating to PHI. 2) Transactions and Code Sets Rule - stipulates standards for electronic healthcare claims, billing and transactions required by HIPPA compliance. 3) SecurIty Rule - similar and complementary to the Privacy Rule, but solely concerned with Electronic Protected Healthcare Information (EPHI). The Security Rule specifies three types of security safeguards for EPHI: a) ADMINISTRATIVE SAFEGUARDS i) Covered entities must adopt a written set of privacy procedures and appoint a Privacy Officer. ii) Clearly identify employees or roles authorized to access EPHI and restrict access to only those employees who require it to perform their job function. iii) Covered entities must adopt a written set of privacy procedures and appoint a Privacy Officer. iv) Outsourced third-parties who require access to EPHI in their business process must comply with HIPAA requirements and the covered entity is responsible for ensuring this. v) Establish data disaster recovery and backup procedures for EPHI. vi) Document the scope, frequency and procedures for internal EPHI and administrative audits. vii) Document procedures for EPHI security breaches. b) PHYSICAL SAFEGUARDS i) Controls must be implemented to ensure the physical security of EPHI and protect against unauthorized access ii) Controls must govern the introduction or removal of hardware and software on the network. iii) Access to equipment storing EPHI must be restricted to authorized personnel. iv) Workstations capable of accessing EPHI should be located in private areas and out of direct view of the public or unauthorized people. v) If a covered entity uses an external contractor, they must be given training and made aware of HIPAA responsibilities. c) TECHNICAL SAFEGUARDS i) Controls must be implemented to control access to computer system and ensure that covered entities protect communications containing PHI and prevent anyone other than the intended recipient from intercepting them. ii) EPHI information systems must be protected against intrusion or hacking. iii) When EPHI is transmitted over an open network, some form of data encryption must be applied. If the network is closed, data encryption is considered to be optional.

iv) Covered entities are responsible for ensuring that EPHI is not changed or erased without appropriate authoriza- tion. v) Data corroboration such as the use of digital signatures, check sums, and message authentication should be used to ensure data integrity and anti-tampering. vi) Covered entities must authenticate with other entities which they communicate EPHI with. Covered entities must ensure that entities are indeed who they claim to be. vii) Covered entities must document their HIPAA compliance practices around the Security Rule and provide these to appropriate government regulators upon request to help determine HIPAA compliance. viii) Covered entities must also carry out and document EPHI security risk assessments and risk management programs. The Security Rule is considered to be a mandatory, minimum standard for EPHI security and covered entities are obligated to make specific assessments of their own security risks and take reasonable additional precautions necessary to protect EPHI within the covered entity s specific environment. 3: HITECH ACT The HITECH Act (Health Information Technology for Economic and Clinical Health Act) was enacted as part of the American Recovery and Reinvestment Act of 2009. It addresses additional privacy and security issues relating to the electronic transmission of PHI. It extends the data privacy and security requirements of HIPAA to business associates of covered entities and stipulates that these requirements be included in agreements and contracts between covered entities and business associates. The Act also imposes additional notification requirements relating to PHI security breaches and extends these to not only covered entities, but business associates and vendors of personal health records. Lastly, the Act also implements changes in the rules governing disclosures of PHI when an organization uses an electronic health record (EHR). 4) UNIQUE IDENTIFIERS RULE - Covered entities governed by HIPAA must use only the National Provider Identifier (NPI) number to identify covered healthcare providers. Covered entities must not share PHI with entities that do not use an NPI - a 10 digit alphanumeric identification number. 5) ENFORCEMENT RULE - sets civil monetary penalties for covered entities that violate or fail to comply with HIPAA requirements. It also establishes how violations are investigated and prosecuted.

isheriff Cloud Security & HIPAA isheriff Cloud Security is a Web, Email and Endpoint protection service which complies with HIPAA regulations governing the security and privacy of Electronic Protected Healthcare Information. The service provides real-time analysis of email and Web traffic to guard against HIPAA compliance breaches and accidental disclosure of EPHI. isheriff automatically encrypts EPHI according to HIPAA procedures and provide data leakage protection to ensure the security and privacy of PHI. 360 HIPAA POLICY COMPLIANCE isheriff Cloud Security provides a complete solution to help your organization address a range of HIPAA security requirements, including technology protection, implementation of HIPAA policies, assisting with employee education and analyzing the compliant transmission of EPHI. isheriff APPLIES A 360 DEGREE SOLUTION WHICH ENABLES CORPORATIONS TO: DEFINE PHI data security procedures. Consistently MONITOR the transmission of EPHI and automatically enforce HIPAA procedures in email and Web communications and ensure the security and privacy of healthcare information. DETECT policy breaches, automatically alert HIPAA Privacy Officers of procedural breaches and help educate employees regarding HIPAA compliance. ANALYZE Web, Email and Endpoint activity with reports that enable healthcare providers to better educate employees and refine policies to maintain continued compliance with HIPAA rules over time.

ACHIEVING HIPAA COMPLIANCE HIPAA lays out multiple security rules and requirements that covered entities must implement. isheriff Cloud Security provides functionality which can meet or surpass all of these requirements: HIPAA Requirement Ensure the confidentiality of communications with individuals Adopt a written set of privacy procedures for handling EPHI Restrict access to EPHI to only those employees who require it to perform their job function Third-parties utilized by covered entities must comply with HIPAA rules Covered entities must protect communications containing PHI and prevent anyone other than the intended recipient from intercepting them Covered entities must protect information systems against intrusion or hacking isheriff Cloud Security isheriff Cloud Security provides easy to use security features such as email encryption, policy-based data and file-type controls and real-time EPHI detection to ensure that data is transmitted according to confidentiality procedures and block the unauthorized or non-compliant communication of EPHI. isheriff Cloud Security enables you to easily adapt written HIPAA privacy procedures into practical, plain-english security rules using an intuitive user interface. Pre-configured, example HIPAA policies are available to help streamline policy creation, save time and money. isheriff Cloud Security can automatically secure information or trigger HIPAA policies based on: Names, addresses, phone or fax numbers Email addresses, IP addresses or domains National Provider Identifier (NPI) Social Security Numbers Medical record numbers Bank account numbers Any alphanumeric pattern of interest for HIPAA compliance isheriff Cloud Security is a policy-based, user authentication solution which enables healthcare providers to selectively apply EPHI communication privileges based on user ID, IP address, department, policy group or domain. This means that unauthorized employees are always blocked from transmitting EPHI and authorized EPHI communications are automatically encrypted in accordance with HIPAA guidelines. isheriff Cloud Security provides an easy to use and totally secure communication environment, allowing your organization to communicate privately with individuals and business associates. You can collaborate and share information securely and without additional costs, special software or extensive training requirements. Policy-based authentication ensures that EPHI can only be shared with an authorized list of email addresses, domains or IP addresses. In addition, email S/MIME and 128-bit SSL encryption prevents interception of EPHI or accidental disclosure to unintended recipients. isheriff Cloud Security helps safeguard email and Web communications, and keep endpoints free from malware and other malicious Web attacks.

ACHIEVING HIPAA COMPLIANCE HIPAA Requirement PHI must be encrypted when transmitted over an open network Data corroboration such as digital signatures,check sums, and message authentication should be used to ensure data integrity and anti-tampering Covered entities must authenticate with other entities which they communicate EPHI with Covered entities must keep a record of who PHI has been disclosed to, what was disclosed and when isheriff Cloud Security Email communications are protected by 128-bit SSL connections and/or S/ MIME PKI encryption over open networks. HTTPS content inspection ensures that EPHI is only transmitted via the Web by autho- rized isheriff Cloud Security provides detailed Web and email security reporting. This enables you to monitor and evaluate the disclosure of NPI, who has accessed NPI, and adjust security measures or implement new policies as needed. isheriff Cloud Security supports Public Key Infrastructure (PKI) that employs trusted x.509 certificates and S/MIME cryptography for strong authentication and encryption. isheriff Cloud Security reports provide a detailed log of communications and HIPAA-related events such as email, file uploads or downloads and identification of users and email addresses that EPHI has been disclosed to.

BEYOND HIPAA WHY isheriff CLOUD SECURITY IS IDEAL FOR HEALTHCARE PROVIDERS FOR WEB, EMAIL AND ENDPOINT DEVICE SECURITY, isheriff CLOUD SECURITY OFFERS HEALTHCARE PROVIDERS CONSIDERABLE BENEFITS AND ADVANTAGES: A hosted security solution which cleans and secures email and Internet use. No need to purchase or manage appliances or software - all infrastructure is provided and managed for you. A single vendor for endpoint anti-virus, email security, encryption and/or Internet filtering. Predictable fixed cost structure with the flexibility to let you grow or shrink your user licensing as and when you need it. No tedious maintenance or administration.» Accessible policy tuning and reporting via a secure Web console enables you to manage your security if you wish and view reports anytime, anywhere.» Reliable, effective security with real-time, patented content and threat analysis technology from a vendor with over 10 years of proven experience delivering best of breed protection.» Eliminates spam and phishing from incoming email - removes offensive unsolicited messages which also contain malicious threats and links to compromised websites and benefit from considerable bandwidth savings.» Secure your endpoints, email and Web connections against viruses, malware and the latest Web 2.0 threats such as botnets and compromised websites.» Prevent access to pornographic and offensive Web content with website category filtering which is updated and driven by your usage. SafeSearch enforcement is also provided for search engines such as google, Yahoo and Bing as well as YouTube - ensures that inappropriate content is not returned by a search.» Automatic email archiving to backup your important communications and aid in disaster recovery.» Access easy to understand reports on demand and readily measure the cost savings and performance delivered by the services you are paying for.

Other Key Features & Benefits EASE OF USE Powerful and intuitive Web console, with flexible drag & drop configurability Full integration with all major directory services - for hassle-free set-up and group/user maintenance Comprehensive and configurable reporting across all policies, security vectors and directory elements Policy enforcement through real-time reporting and alerting Lightweight endpoint anti-malware agent deployable on all current version of Windows, Mac and linux COMPREHENSIVE SECURITY CONTROLS Highly configurable content filtering, based on isheriff s proprietary url database and real-time dynamic page classification - ensuring that acceptable use policies are enforced Highly flexible application controls, enabling policy enforcement for application permissions Bandwidth controls, enabling management of bandwidth usage through policy Data leak protection for data-in-motion across both Web and Email transport layers, to ensure that sensitive corporate information is kept secure ADDITIONAL BENEFITS Email archiving for 90 days, and e-discoverability Multi-tenant management framework and dashboard, enabling management of deployment, policies and reporting for MsPs, VARs and distributed organizations through an integrated Web-based console

isheriff Security Specialists At isheriff, our commitment to our customers is the driving force behind everything we do. In addition to all of the customer service functions offered by competitive companies, at isheriff, you will be assigned your own Security Specialist. isheriff is the only internet security company that provides a trained, dedicated, knowledgeable single point of contact, whose job is to assist, guide and keep you informed about the best way to protect your most critical asset, your data. A Security Specialist is an additional layer of service and support, trained to advise you in this new era of cybercrime. Our Security Specialists are dedicated to both customers and partners based on customer location. Your Security Specialists Can: Design a security solution customized to meet the needs of your business Provide full security assessments as well as demos and trials of our solutions Engage and manage any tech support, license or account management questions Provide the latest info on current threats Help select the right channel partner for your specific needs Provide you with the highest levels of personal service in the industry Develop a Cloud Security Strategy Share Product Road Maps and Future release schedules Provide competitive pricing, references and Free Trial copies upon Request Contact a isheriff Security Specialist today at /specialist

About isheriff isheriff is the leading provider of content and endpoint security from the cloud. We keep organizations and individuals safe from cybercrime, malware and digital threats. Thousands of businesses across a wide array of industries have deployed our solutions, including some of the most sophisticated buyers of security technology worldwide. isheriff has operations in New York, California, Ireland and Asia. Free Trial isheriff s services can be easily and freely evaluated. Just provide us with some simple details via an online sign-up form and we can have a free 15-day trial of isheriff Cloud Security up and running for you within 24 hours. There is no obligation to subscribe and it is quick and easy to disconnect the service if you don t wish to continue. Sign up now at /cloudtrial isheriff Resources CLOUD SECURITY OVERVIEW CUSTOMER CASE STUDIES FREE TRIAL WHITEPAPERS SECURITY SPECIALISTS CUSTOMER SUPPORT OFFICE LOCATIONS /cloud /resources /cloudtrial /resources /specialist /support /contact

Learn more by visiting 2014 isheriff. isheriff is a registered trademark of isheriff. All other trademarks are the property of their respective owners. Specifications subject to change without notice. All rights reserved.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information