ITUS Med Solutions. HITECH & HIPAA Compliance Guide



Similar documents
SECURITY RISK ASSESSMENT SUMMARY

HIPAA Audit Processes HIPAA Audit Processes. Erik Hafkey Rainer Waedlich

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS

VMware vcloud Air HIPAA Matrix

HIPAA Security Checklist

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics

Healthcare Compliance Solutions

HIPAA Security Series

HIPAA Information Security Overview

MANAGED FILE TRANSFER: 10 STEPS TO HIPAA/HITECH COMPLIANCE

How to use the Alertsec Service to Achieve HIPAA Compliance for Your Organization

An Effective MSP Approach Towards HIPAA Compliance

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

HIPAA Compliance Guide

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

How Managed File Transfer Addresses HIPAA Requirements for ephi

HIPAA Security. 5 Security Standards: Organizational, Policies. Security Topics. and Procedures and Documentation Requirements

HIPAA and HITECH Regulations

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, :15pm 3:30pm

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

HIPAA Security Rule Compliance

UNIVERSITY OF CALIFORNIA, SANTA CRUZ 2015 HIPAA Security Rule Compliance Workbook

Krengel Technology HIPAA Policies and Documentation

Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

HIPAA DATA SECURITY & PRIVACY COMPLIANCE

The Impact of HIPAA and HITECH

HIPAA PRIVACY AND SECURITY AWARENESS

CHIS, Inc. Privacy General Guidelines

Securing the FOSS VistA Stack HIPAA Baseline Discussion. Jack L. Shaffer, Jr. Chief Operations Officer

Bridging the HIPAA/HITECH Compliance Gap

Healthcare Management Service Organization Accreditation Program (MSOAP)

HIPAA Security and HITECH Compliance Checklist

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

MAX Insight. HIPAA Hardening & Configuration Guide for MSP s

Security Manual for Protected Health Information

IBM Internet Security Systems. The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview

itrust Medical Records System: Requirements for Technical Safeguards

ITS HIPAA Security Compliance Recommendations

Datto Compliance 101 1

Please Read. Apgar & Associates, LLC apgarandassoc.com P. O. Box Portland, OR Fax

Copyright Telerad Tech RADSpa. HIPAA Compliance

AOA HIPAA SECURITY REGULATION COMPLIANCE MANUAL

HIPAA Compliance and the Protection of Patient Health Information

HIPAA Security Alert

HIPAA Security. Jeanne Smythe, UNC-CH Jack McCoy, ECU Chad Bebout, UNC-CH Doug Brown, UNC-CH

Somansa Data Security and Regulatory Compliance for Healthcare

Authorized. User Agreement

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

HIPAA and HITECH Compliance for Cloud Applications

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

The CIO s Guide to HIPAA Compliant Text Messaging

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

RAYSAFE S1 SECURITY WHITEPAPER VERSION B. RaySafe S1 SECURITY WHITEPAPER

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009

HIPAA Security. assistance with implementation of the. security standards. This series aims to

Joe Dylewski President, ATMP Solutions

New Boundary Technologies HIPAA Security Guide

HIPAA and Mental Health Privacy:

HIPAA Assessment HIPAA Policy and Procedures

Privacy and Security Meaningful Use Requirement HIPAA Readiness Review

LogMeIn HIPAA Considerations

HIPAA Omnibus Compliance How A Data Loss Prevention Solution Can Help

The Health Insurance Portability and Accountability Act - HIPAA - Using BeAnywhere on a HIPAA context

Develop HIPAA-Compliant Mobile Apps with Verivo Akula

HIPAA Compliance: Are you prepared for the new regulatory changes?

M E M O R A N D U M. Definitions

HIPAA, PHI and . How to Ensure your and Other ephi are HIPAA Compliant.

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

An Oracle White Paper December Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance

COMPLIANCE ALERT 10-12

Ensuring HIPAA Compliance with Pros 4 Technology Online Backup and Archiving Services

HIPAA Security COMPLIANCE Checklist For Employers

HIPAA Compliance Guide

HIPAA COMPLIANCE AND

Policies and Compliance Guide

Overview of the HIPAA Security Rule

HIPAA Privacy & Security White Paper

AUDITING TECHNIQUES TO ASSESS FRAUD RISKS IN ELECTRONIC HEALTH RECORDS

Transcription:

Solutions HITECH & HIPAA Compliance Guide 75 East 400 South Suite 301 - Salt Lake City - UT - 84111 (801) 505-9570 www.itus-med.com Email: info@itus-med.com

HITECH & HIPAA Compliance HITECH and HIPAA Act Requirements The Health Insurance Portability and Accountability Act of 1996 (HIPAA) mandates that appropriate administrative, technical, and physical safeguards be used to protect the privacy and security of sensitive health information. The Health Information Technology for Economic and Clinical Health (HITECH) Act signed into law February 2009 as part of the American Recovery and Reinvestment Act (ARRA) clarifies and supplements HIPAA requirements, particularly by creating disclosure requirements, adding significant financial penalties for losses and mandating jail time for negligence in breaches of Protected Health Information (PHI) by covered entities that violate the HIPAA Privacy and Security Rules. Both HIPAA and the HITECH Act are enforced by the U.S. Department of Health and Human Services. The goal of the security provisions of HIPAA is to ensure the integrity and confidentiality of health information and to protect against security breaches and unauthorized use or disclosure of health information. Security provisions for HIPAA compliance are designed to motivate healthcare service providers and their business associates to adopt practices that reduce the risk of losing valuable patient information due to data theft from security breaches. The Problem with Protected Health Information (PHI) The HITECH Act introduced a significant problem for Healthcare Providers: 1) Institutions must be able to service at least 50% of their patient populations electronically and those that don t meet Meaningful Use II attestation requirements can only bill for Medicare patients at a reduced rate. Provide patients with the ability to view online, download and transmit their health information to third parties 50% patients have access EPs - within 4 business days Hospitals - within 36 hours of discharge >10% of patients view, download or transmit their records 2) All Protected Health Information (PHI) must be encrypted at the Endpoint, in transit and at rest (end-to-end encryption) Secure messaging for ambulatory systems: Not restricted to email; may include patient portal, PHR, or other messaging system Adopts encryption and hashing algorithm standards as baseline 45 CFR 164.312(a)(iv) Electronic health information store on end-user devices is encrypted after use of EHR is stopped; or Ensure EHI never remains on end-user device after use of EHR is stopped One of the major hurdles to implementing encryption of this type is that browsers and e-mail don t support end-to-end encryption, forcing enterprises to deploy Virtual Private Networks (VPN) to ensure that sensitive data is encrypted. VPNs HITECH & HIPAA Compliance Guide 1

are almost exclusively used within enterprises as they tend be costly, expensive, difficult to deploy and difficult to manage- Making them unsuitable to address Meaningful Use II requirements. New Solutions to Protect Institutions and Patients ITUS Med is a technology and services company that provides a secure, private-branded channel for online transactions and communications coupled with a breach insurance product backed by Lloyds of London. The company offers a comprehensive suite of solutions that secures all aspects of online patient information and transactions with Healthcare and insurance institutions. Each solution is carefully designed and tested to provide maximum security for the institution and the patient. The solution protects each patient s personal data, medical records, and identity information from Internet criminals. The ITUS Med solution uses a PKI (Public Key Infrastructure) encryption mechanism surrounding a secure communication system that incorporates legal digital signatures and a hardened browser that is immune to common web-based attacks. This approach elegantly meets the encryption requirements required by Meaningful Use II, is easy to deploy and easy to use for patients and provides a legally signed audit trail for non-repudiation as well as a low cost, secure delivery mechanism for all communications that include PHI (lab results, billing etc.) that is a higher legal standard than first class mail. General Rules Administrative Safeguards Security Management Process Risk Management 164.308(a)(1)(ii)(B) Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with 164.306(a). Information System Activity Review 164.308(a)(1)(ii)(D) Implement procedures to regu- larly review records of infor- mation system activity, such as audit logs, access reports, and security incident tracking re- ports. Provides end-to-end encryption of all ephi. All communications and transactions are triple encrypted and digitally signed. Eliminates primary attack vectors: Browser- Hardened Browser is immune to man-in-thebrowser attacks Email- Point to point communications incorporates digital signatures- No third-party access Storage- All persistent communications and transactions are encrypted with PKI Digital Signatures are appended to all communications and transactions. Digital Signatures include time/day/date stamps as well as sender and recipient information and provide a legal instrument for nonrepudiation and logging of communications, transactions and events. HITECH & HIPAA Compliance Guide 2

Workforce Security Authorization and/or Supervi- sion 164.308(a)(3)(ii)(A) Implement procedures for the authorization and/or supervi- sion of workforce members who work with ephi or in locations where it might be accessed. Each user has a specific User Class associated with their login (Patient, Physician, Administrator etc.) Access to specific sites can be limited by User Class Secure behavior is enforced by limiting and obfuscating recipient information based on User Class Information Access Management Isolating Health Care Clearing- house Function 164.308(a)(4)(ii)(A) If a health care clearinghouse is part of a larger organization, the clearinghouse must imple- ment policies and procedures that protect the ephi of the clearinghouse from unauthor- ized access by the larger organ- ization. Clearinghouse information access is restricted to specific users with the User Class function. ArmoredView Administration Console can be customized to include any number of permissions policies and is easily integrated with existing policy systems. Access Establishment and Mod- ification 164.308(a)(4)(ii)(C) Implement policies and proce- dures that, based upon the enti- ty's access authorization poli- cies, establish, document, re- view, and modify a user's right of access to a workstation, transaction, program, or pro- cess. HITECH & HIPAA Compliance Guide 3

Security Awareness Protection from Malicious Software 164.308(a)(5)(ii)(B) Implement procedures for guarding against, detecting, and reporting malicious soft- ware. Armored Online Solution eliminates the primary vectors of attack: Hardened Browser locks out plug-ins, extensions, helper objects and persistent cookies that criminals coopt in their attacks Encrypted point-to-point email system ensure that only the issuing institution and the authorized recipient can communicate in the secure environment Technical Safeguards Access Control Access Control Unique User Identification 164.312(a)(2)(i) Implement procedures to assign a unique name and/or number for identifying and tracking user identity. Automatic Logoff 164.312(a)(2)(iii)Implement electronic procedures that ter- minate an electronic session after a predetermined time of inactivity. The Armored Online system integrates into existing authentication systems and provides additional Multi- Factor Authentication, Mutual Authentication and Public/Private Key encryption Automatic Logoff timing is controlled through the Armored View Administration Console. Users can be automatically logged out of the system based on policy. Audit Control Encryption and Decryption 164.312(a)(2)(iv) Implement procedures to describe a mech- anism to encrypt and decrypt ephi. Audit Controls 164.312(b) Implement hardware, software, and/or procedural mechanisms that record and examine activi- ty in information systems that contain or use ephi. All communications and transactions in the Armored Online system are triple encrypted with SSL, PKI and digital signatures at all times Legally-binding Digital Signatures are appended to all communications and transactions. Digital Signatures include time/day/date stamps as well as sender and recipient information and provide a legal instrument for non-repudiation and logging of communications, transactions and events. HITECH & HIPAA Compliance Guide 4

Integrity Mechanism to Authenticate Electronic PHI 164.312(c)(2) Implement electronic mecha- nisms to corroborate that ephi has not been altered or de- stroyed in an unauthorized manner. Beyond the audit and logging features provided by Digital Signatures, any alteration or unauthorized viewing of digitally signed, encrypted information is flagged whether the communication was intercepted in transit or at rest (persistent data) ITUS Med leads the industry in providing secure private channel technology to Healthcare Enterprises. Headquarters: ITUS Med 75 East 400 South Suite 301 Salt Lake City, UT 84111 TEL 801.505.9570 www.itus-med.com HITECH & HIPAA Compliance Guide 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information