Privacy and Security Meaningful Use Requirement HIPAA Readiness Review

Similar documents
Securing the FOSS VistA Stack HIPAA Baseline Discussion. Jack L. Shaffer, Jr. Chief Operations Officer

PRIVACY POLICIES AND FORMS FOR BUSINESS ASSOCIATES

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, :15pm 3:30pm

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

HIPAA Security Rule Compliance

HIPAA Information Security Overview

SECURITY RISK ASSESSMENT SUMMARY

HIPAA Compliance Guide

Security Is Everyone s Concern:

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

Healthcare Compliance Solutions

Privacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by:

HIPAA Security. 5 Security Standards: Organizational, Policies. Security Topics. and Procedures and Documentation Requirements

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS

HIPAA COMPLIANCE PLAN FOR 2013

2/9/ HIPAA Privacy and Security Audit Readiness. Table of contents

The HIPAA Audit Program

Sustainable Compliance: A System for Ongoing Audit Readiness

HIPAA Compliance: Are you prepared for the new regulatory changes?

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

Overview of the HIPAA Security Rule

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

HIPAA Security Matrix

HIPAA: Compliance Essentials

HIPAA and Mental Health Privacy:

Datto Compliance 101 1

Lessons Learned from OCR Privacy and Security Audits

HIPAA Security. Jeanne Smythe, UNC-CH Jack McCoy, ECU Chad Bebout, UNC-CH Doug Brown, UNC-CH

Health Informa.on Technology Audits: "Meaningful Use" and HIPAA. January 23, 2015 Eli Poliakoff Gary Capps

Interim Final Rule on Standards, Implementation Specifications, and Certification Criteria

HIPAA PRIVACY AND SECURITY AWARENESS

HIPAA Compliance Guide

Ethics, Privilege, and Practical Issues in Cloud Computing, Privacy, and Data Protection: HIPAA February 13, 2015

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

Ready for an OCR Audit? Will you pass or fail an OCR security audit? Tom Walsh, CISSP

Agenda. OCR Audits of HIPAA Privacy, Security and Breach Notification, Phase 2. Linda Sanches, MPH Senior Advisor, Health Information Privacy 4/1/2014

IBM Internet Security Systems. The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview

C.T. Hellmuth & Associates, Inc.

Welcome to the Privacy and Security PowerPoint presentation in the Data Analytics Toolkit. This presentation will provide introductory information

Research and the HIPAA Security Rule Prepared for the Association of American Medical Colleges by Daniel Masys, M.D. Professor and Chairman,

HIPAA Security. assistance with implementation of the. security standards. This series aims to

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics

HIPAA Security Alert

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

HIPAA Security Checklist

CHIS, Inc. Privacy General Guidelines

Protecting Patient Information in an Electronic Environment- New HIPAA Requirements

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

Bridging the HIPAA/HITECH Compliance Gap

How To Understand And Understand The Benefits Of A Health Insurance Risk Assessment

HIPAA Audit Processes HIPAA Audit Processes. Erik Hafkey Rainer Waedlich

RAYSAFE S1 SECURITY WHITEPAPER VERSION B. RaySafe S1 SECURITY WHITEPAPER

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

AUDITING TECHNIQUES TO ASSESS FRAUD RISKS IN ELECTRONIC HEALTH RECORDS

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO

Are You Ready for an OCR Audit? Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS. What would you do? Session Objectives

WHITE PAPER. Support for the HIPAA Security Rule RadWhere 3.0

HIPAA Happenings in Hospital Systems. Donna J Brock, RHIT System HIM Audit & Privacy Coordinator

AHLA. B. HIPAA Compliance Audits. Marti Arvin Chief Compliance Officer UCLA Health System and David Geffen School of Medicine Los Angeles, CA

The second section of the HIPAA Security Rule is related to physical safeguards. Physical safeguards are physical measures, policies and procedures

White Paper. Support for the HIPAA Security Rule PowerScribe 360

VMware vcloud Air HIPAA Matrix

Cloud Computing in a HIPAA- Compliant World. NRTRC Telemedicine Conference Dean Oswald March 25, 2014

OCRA Spring Convention ~ 2014 Phyllis Craver Lykken, RPR, CLR, CCR Court Reporters and HIPAA

Art Gross President & CEO HIPAA Secure Now! How to Prepare for the 2015 HIPAA Audits and Avoid Data Breaches

Lessons Learned from HIPAA Audits

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA Security COMPLIANCE Checklist For Employers

What Virginia s Free Clinics Need to Know About HIPAA and HITECH

HIPAA Security Series

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

Transcription:

Privacy and Security Meaningful Use Requirement HIPAA Readiness Review REACH - Achieving - Achieving meaningful meaningful use of your use EHR of your EHR Patti Kritzberger, RHIT, CHPS ND e-health Summit Wednesday, November 20, 2013 877-331-8783, ext. 222 info@khareach.org www.khareach.org

Objectives EHR Incentive Program Meaningful Use Core Measure OCR Audit Protocol Privacy and Security Meaningful Use Requirement HIPAA Readiness Review Purpose, Content, Process Resources Q & A 2

EHR Incentive Program Meaningful Use Core Measure Eligible Hospitals/CAH Core Measure #13 Eligible Professionals Core Measure #14 Eligible hospitals and CAHs /Eligible professionals must attest YES to having conducted or reviewed a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implemented security updates as necessary and corrected identified security deficiencies prior to or during the EHR reporting period to meet this measure. 3

Objectives EHR Incentive Program Meaningful Use Core Measure OCR Audit Protocol Privacy and Security Meaningful Use Requirement HIPAA Readiness Review Purpose, Content, Process Resources Q & A 4

Audit Protocol The OCR HIPAA Audit program analyzes processes, controls, and policies of selected covered entities pursuant to the HITECH Act audit mandate. OCR established a comprehensive audit protocol that contains the requirements to be assessed through these performance audits. The entire audit protocol is organized around modules, representing separate elements of privacy, security, and breach notification. The combination of these multiple requirements may vary based on the type of covered entity selected for review. 5

What the Audit Protocol Covers Privacy Rule requirements for: (1) notice of privacy practices for PHI, (2) rights to request privacy protection for PHI, (3) access of individuals to PHI, (4) administrative requirements, (5) uses and disclosures of PHI, (6) amendment of PHI, and (7) accounting of disclosures. Security Rule requirements for administrative, physical, and technical safeguards Requirements for the Breach Notification Rule 6

Categories of Standards Addressable the CE must assess the reasonableness and appropriateness of the safeguard to protect the ephi: Size, complexity & capability of the CE CEs technical infrastructure, hardware and software security capabilities Cost of security measures Probability and criticality of potential risks to ephi Required the CE must comply with the standard & implement policies &/or procedures that meet the requirement 7

Four Distinct Parts of Security Rule Administrative Safeguards administrative actions, including the establishment of policies & procedures, to manage the activities needed to establish security measures that protect ephi. Security Management Process Risk Analysis (Required) Risk Management (Required) Sanction Policy (Required) IS Activity Review (Required) Assigned Security Responsibility Designate Security Officer (Required) Workforce Security Authorization and/or Supervision (Addressable) Workforce Clearance Procedure (Addressable) Termination Procedures (Addressable) 8

Distinct Parts, cont Physical Safeguards physical measures and policies & procedures, including policies & procedures to protect electronic information systems & related buildings & equipment from natural & environmental hazards & unauthorized intrusion Facility Access Controls Contingency Operations (Addressable) Facility Security Plan (Addressable) Access Control & Validation Procedures (Addressable) Workstation Use (Required) Workstation Security (Required) Device & Media Controls Disposal (Required) Media Reuse (Required) Accountability (Addressable) Data Backup & Storage (Addressable) 9

Distinct Parts, cont. Technical Safeguards the technology, including policies & procedures for its use, that protect ephi & control access to it. Access Control Unique User Identification (Required) Emergency Access Procedure (Required) Automated Logoff (Addressable) Encryption & Decryption (Addressable) Audit Controls (Required) Integrity Mechanism to Authenticate ephi (Addressable) Person or Entity Authentication (Required) Transmission Security Integrity Controls (Addressable) Encryption (Addressable) 10

Distinct Parts, cont. Organizational Safeguards arrangements made between organizations to protect ephi, including Business Associate Agreements Business Associate Contracts or Other Arrangements Business Associate Agreements (Required) Other Arrangments (Required) Requirements for Group Health Plans Implementation Specification (Required) Policies & Procedures (Required) Mechanism to Authenticate ephi (Addressable) Documentation Time Limit (Required) Availability (Required) Updates (Required) 11

Objectives EHR Incentive Program Meaningful Use Core Measure ONC Audit Protocol Privacy and Security Meaningful Use Requirement HIPAA Readiness Review Purpose, Content, Process Resources Q & A 12

REACH HIPAA Readiness Review Service Focus of the Service Eligibility Criteria REACH Clients: Active SLA Site has to be included on SLA Has not met MU or still has an RHC that has not met MU You must have completed your security risk assessment on the certified version of your EHR to be eligible for this service Non-REACH Clients: Fee-for-Service Offering amount to be determined by scope of work 13

REACH HIPAA Readiness Review Purpose OCR performing HIPAA Privacy & Security audits Figliozzi & Company performing meaningful use audits up to 20% pre- or post-payment audits This service has been designed to help clients make sure they have all elements for HIPAA Privacy & Security in place. REACH s assistance and guidance does not ensure you will pass an audit or that auditors will not ask for additional information unanticipated by REACH. 14

REACH HIPAA Readiness Review Content Tools, education, and assistance related to your organization s completion of the HIPAA security risk assessment Conduct a review and readiness assessment of your organization s security risk assessment required for HIPAA (since 2005). REACH s assessment includes a review of your: Most recent HIPAA security risk assessment HIPAA privacy and security policies and procedures Business continuity and disaster recovery plans Business associate agreements Privacy and security staff education program A report will be provided including suggestions for areas that would benefit from greater focus and attention from your organization. Privacy and security tools will be provided to assist you in your work. 15

REACH HIPAA Readiness Review Process Contact REACH or, if a current client, contact your REACH Consultant Complete an intake form A series of calls will be set up Initial Follow up Final (followed by final report) 16

Objectives EHR Incentive Program Meaningful Use Core Measure OCR Audit Protocol Privacy and Security Meaningful Use Requirement HIPAA Readiness Review Purpose, Content, Process Resources Q & A 17

OCR/CMS Resources http://www.hhs.gov/ocr/privacy/index.html http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/ securityruleguidance.html http://cms.gov/regulations-and-guidance/hipaa- Administrative- Simplification/HIPAAGenInfo/index.html?redirect=/HIPAAGenInf o/04_privacystandards.asp 18

Other Resources www.hipaacow.org http://www.hipaasurvivalguide.com/hipa a-security-requirements.php http://www.hitechanswers.net/6-worstpractices-put-meaningful-useincentives-hospitals-risk/ 877-331-8783, ext. 222 info@khareach.org www.khareach.org 19

QUESTIONS? 20

Key Health Alliance Stratis Health, Rural Health Resource Center, and The College of St. Scholastica. REACH is a project federally funded through the Office of the National Coordinator, Department of Health and Human Services (grant number EP-HIT-09-003). 21 21

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information