EHR & HIPAA Managing Compliance & Progress. Agenda. Federal EHR Imperatives & Achieving Meaningful Use. EHR & HIPAA: Managing Compliance & Progress
|
|
- Shanna Floyd
- 6 years ago
- Views:
Transcription
1 EHR & HIPAA Managing Compliance & Progress Presented by Rodney Walsh, Senior Managing Consultant May 20, 2010 Agenda Federal EHR imperatives Certification & meaningful use Management of EHR upgrades & acquisitions Impact of key changes to HIPAA Security solutions Federal EHR Imperatives & Achieving Meaningful Use 1
2 Stimulus Bill - EHR Funding 2009 Stimulus Act (ARRA) $2 billion to Office of National Coordinator for Health Information Technology (ONCHIT) to implement Health Information Technology for Economic & Clinical Health Act (HITECH) for electronic health records (EHR) 53 pages of details in bill EHR for each person in the US by 2014 Nationwide HIT infrastructure EHR Proposed Regulations EHR funding for PPS hospitals, CAHs & physicians is paid only after provider Is meaningful user (MU), Of certified EHR technology Proposed regulations published January 13, 2010, to define both terms Comments were accepted through March 15, 2010 EHR Adoption Rate Healthcare Information & Management Systems Society (HIMSS) EMR Adoption Model - 8 stages, 0 to 7 Q % of hospitals at Stages 0 to 3 Q improvement % Average score All hospitals CAH % improvement per year will not get us there 2
3 Phasing of MU Criteria National Goals vs. Reality Enable health reform Focus on health outcomes, not software Feasibility Balance urgency of health reform with calendar time needed to implement HIT Starting from low adoption rate Sensitive to under-resourced practices, e.g., small practices, community health centers, rural settings HIT essential to achieving health reform in all settings Recovery Act provisions Timelines fixed (2015, ) Funding rules defined (front-loaded incentives) 7 EHR - Moving Target The Secretary shall seek to improve the use of EHR & health care quality over time by requiring more stringent measures of meaningful use selected under this paragraph HIT - Enabled Health Reform Achieving Meaningful Use HIT- Enabled Health Reform HITECH Policies 2011 Meaningful Use Criteria (Capture/share data) 2013 Meaningful Use Criteria (Advanced care processes with decision support) 2015 Meaningful Use Criteria (Improved outcomes) 3
4 Qualifying for Incentives Part One: Certified Systems EHR Technology Certification Section 3001(c)(5) of HITECH provisions grant NCHIT authority to establish certification process (NPRM in March 10, 2010 Federal Register) Intent is to provide assurance to purchasers that EHR system/module is capable of meeting meaningful use criteria NPRM establishes steps to Authorize organizations to become certifying bodies Allow EHR vendors to have systems certified against MU criteria EHR Technology Certification ONC is consulting with NIST on development of two proposed certification programs Temporary certification process ONC will authorize organizations to test & certify EHRs & ERH modules To assure availability of certified systems prior to compliance date Permanent certification process More comprehensive/will replace temporary process Establish requirements related to surveillance of certified EHRs Certify other types of HIT besides EHRs & EHR modules 4
5 Certification Testing - NIST Test Method Rollout Schedule - MU Requirements General Criteria (302); Ambulatory (304); Inpatient (306) Qualifying for Incentives Part Two: Demonstrate Meaningful Use 5
6 Demonstrating Meaningful Use Under HITECH, EP or eligible hospital is considered meaningful EHR user if they Demonstrate use of certified EHR technology in meaningful manner Demonstrate certified EHR technology is connected in manner providing for electronic exchange of health information to improve quality of health care, such as promoting care coordination Using its certified EHR technology submits information on specified clinical quality measures & other measures Achieving Meaningful Use Hospitals must meet 23 objectives to demonstrate meaningful use Attest to compliance during continuous 90-day period during first year, starting in federal fiscal year 2011 (on or after 10/1/10) Must be in compliance for full year in subsequent years Achieving Meaningful Use For Year 1 Medicaid payment Must have installed technology, but do not have to be meaningful user Must be meaningful user for subsequent Medicaid payments Must be meaningful user for ALL Medicare payments Hospitals & physicians must keep documentation supporting their demonstration of meaningful use for 10 years 6
7 Achieving Meaningful Use Physicians & other professionals must meet 25 objectives Compliance measured based on calendar year, starting in continuous days of compliance in first year, full-year compliance thereafter Achieving Meaningful Use Meaningful use stages criteria Payment yrs st payment yr Stage 2 & 3 criteria yet to be defined, but will be significantly more stringent Registration of Meaningful Use Centers for Medicare & Medicaid Services is expanding its current Medicare provider enrollment system to make it easier for physicians to register to receive meaningful use incentives Awarded $1.6 million contract to develop necessary additional functions for Provider Enrollment Chain Ownership System (PECOS), which manages, tracks & validates enrollment of providers & suppliers in Medicare program Physicians & hospitals must attest they have met requirements for meaningful use of electronic health records for 90 days to qualify for incentives available in 2011 Modification of PECOS system will take about 10 months 7
8 Management of EHR Upgrades and/or Acquisitions Managing EHR Acquisitions and Implementations to achieve Meaningful Use Key Questions What activities will be reimbursed? How do you manage such a large project? Can your current systems & technology support EHR? What exactly do you want new HIT/EHR system to do? How do you manage selection process? How can you be sure your new HIT/EHR investment is implemented properly? Stages of Development Preliminary project stage Conceptual formulation of alternatives Evaluation of alternatives Determination of existence of needed technology Final selection of alternatives 8
9 Stages of Development Application development stage Acquisition and design of chosen path, including software configuration & software interfaces Coding Installation of hardware Testing, including parallel processing phase Post-implementation/operation stage Training Maintenance Step One: Support Process Preliminary Project Stage Category Process must be supported by management structure I/S steering committee Blend business planning, budgeting & I/S strategic planning Project team(s) Use project management tools & processes Step Two: Assess Readiness Preliminary Project Stage Category EHR readiness assessment ARRA reimbursement analysis Technical & IT infrastructure inventory Security compliance (HIPAA) & control assessment Current systems capabilities assessment Development of EHR project charter 9
10 Step Three: Document Needs Preliminary Project Stage Category EHR needs assessment/rfp development Understand current state of EHR/HIT options Define your specific needs, requirements & expectations for HIT/EHR Clearly identify system or combination of systems required to demonstrate meaningful use Develop request for proposal (RFP) or request for information (RFI) Step Four: Select Solution Preliminary Project Stage Category System selection Follow structured evaluation & selection process using needs driven metrics Perform due diligence analysis of top two vendors or suites of vendors Understand total cost of ownership (TCO) Perform implementation planning Ensure combination of systems to be acquired meets all meaningful use certification criteria Assess, negotiate & execute contracts Step Five: Manage Implementation Application Development Stage Category Project management office Implement selected solution(s) Use structured project management tools Manage project Vendors Internal staff External staff Control changes 10
11 Post-implementation Management Post-implementation/Operation Stage Category Transition to ongoing vendor & system management Demonstrate meaningful use EHR and HIPAA Compliance Business Associates Enforcement Updates Breach Other HIPAA Changes ARRA - Business Associates HIPAA privacy & security provisions now apply to Business Associates Includes notification to covered entity regarding breaches Extends to civil & criminal penalties Must be incorporated into BA agreements Annual guidance to come from HHS 11
12 ARRA - Business Associates BA definition expanded to those that provide data transmission of PHI, such as RHIO, health information exchanges Recommend - CEs perform BA risk assessment based on nature of PHI/ePHI & role of BA BA audit/security - privacy assessment BA risk ranking (amount of access to PHI, exposure) Independent assessment/sas 70 ARRA - HIPAA Enforcement Periodic HHS CE & BA compliance audits Mandatory penalties for willful neglect Violations made without knowledge $100 up to $25,000 Can apply corrective action without penalty Violations based on reasonable cause $1,000 up to $100,000 Violations due to willful neglect $10,000 up to $250,000 ARRA - HIPAA Enforcement Uncorrected willful neglect $50,000 up to $1.5 million Extends criminal penalties to individual or employee of CE State attorneys general can file civil suit on behalf of residents Effective immediately Recommend - CEs complete HIPAA gap analysis/risk assessment/ba Risk Assessment 12
13 ARRA - Breach Notification What is a breach? Unauthorized acquisition, access, use or disclosure of unsecured PHR compromises security, privacy or integrity of such PHR posing significant risk of financial, reputational or other harm to individual Requires risk assessment to determine if a breach Preempts contrary state law; does not preempt state laws with additional requirements ARRA - Breach Notification Exceptions If above is unintentional by workforce member, in good faith, within scope of employment, without further dissemination Inadvertent disclosure between authorized individuals within facility without further disclosure If employee follows policy & reports incident & follow-up investigation is performed Secured PHR ARRA - Breach Notification Notice to Commission within 10 business days of breach Patient must be notified, by first-class mail or , without unreasonable delay (max 60 days of discovery of breach) 13
14 ARRA - Breach Notification If affects 500 patients or more, must report to HHS & install toll free number Under 500 patients, maintain log, for each breach & notify HHS within 60 days after end of calendar year If 500 patients or more of a state or jurisdiction, must post to website for 90 days & report to media outlet that covers impacted patients Breach - What to Provide Brief description of what happened, including date of breach & date of discovery of breach, if known Description of types of unsecured PHR identifiable health information involved in breach (such as full name, Social Security number, date of birth, home address, account number or disability code) Breach - What to Provide Steps individuals should take to protect themselves from potential harm resulting from breach Brief description of what entity that suffered breach is doing to investigate breach, to mitigate harm & to protect against any further breaches Contact procedures for individuals to ask questions or learn additional information, which shall include toll free telephone number, address, website or postal address 14
15 ARRA - Other HIPAA Changes Accounting for disclosures Right to request restrictions Limited data sets & minimum necessary Prohibitions on sale of PHI/ePHI Marketing communications Access to EHR Opt-out of fundraising Summary We are moving toward interconnected health care system IT has been identified as key enabler Management of these Bet your Business processes & technologies is key Balance of this presentation is in that spirit Management & Compliance Model Security Management 15
16 EMR Data Theft on Rise Numbers are staggering. Nearly 220 million electronic records have been breached since January 2005, according to non-profit consumer information & advocacy organization Source: Privacy Rights Clearinghouse EMR Data Theft on Rise Data theft & other fraudulent activities related to exposure of EMR data more than doubled last year, to 7 percent in 2009, compared to 3 percent in EMRs can be so rich in sensitive data like Social Security numbers, insurance ID numbers, medical history & even payment information & are tremendously valuable to criminals Source: InformationWeek 2010 EMR Data Theft on Rise Criminals tend to use information stolen from medical records for average of 320 days vs. just 81 days for pilfered data from other sources. It takes twice as long to detect medical data fraud than with other forms of identity theft, & costs $12,100 to do so, also more than twice general average Source: InformationWeek
17 Protection & Prevention Proactive - security devices, controls & processes Approach requires technical solutions Implementation can be costly (higher overall costs in early stages) Requires management buy-in Detection & Response Reactive - highly manual Implies activity has already occurred Requires manual interaction (legal, audit, risk management, human resources, privacy) Discovery, legal & regulatory costs can be high Best Approach Protection & Prevention Detection & Response 17
18 Best Practice Approach Data Classification - Understand what data is most sensitive (contains PHI) Data Discovery & Data Flow - Know where this data resides at all points of transaction. Identify all access points & methods, to include application, server operating systems, database systems, transmission devices & all other able impact or capture PHI Risk Assessment - Understand your risk model (ISO 27000, COBIT, IIA) Best Practice Approach EHR Security Strategy & Design - Select appropriate controls based on policy, risk & where sensitive data resides Implementation - Integrate appropriate controls; manage security centrally Continuous Oversight - Audit security to constantly improve 1 - Data Classification Categorize (financial, clinical, marketing, medical history, demographics ) Classification of data to process, system & field levels Criticality & sensitivity ratings Regulatory requirements associated Identify intended data owners, custodians & users Determine retention & destruction periods 18
19 1 - Data Classification Impacts De-identification Minimum necessary requirements BA compliance with breach, privacy & security regulations Scaling incident response Data destruction policies 2 - Data Discovery & Data Flow Flow data throughout its lifecycle Identify all system, applications, databases & devices EHR touches Identify all security & control methods in place Identify ownership & responsibility for each identified touch points 19
20 3 - Risk Assessment Logical & physical security (OS, database, application, segregation of duties) Authorization & appropriateness Configuration & change management Transmissions & sharing (encryption) Include coverage of Business Associates Design Level Risk Assessments Includes scoping/id of technology Maturity assessments Penetration testing Data flow analysis BA Risk Assessment Assess risks posed by Business Associates Understand HIPAA compliance status of key Business Associates Consider services performed for hospital by BA, type of data/phi, technology employed by BA, actions performed with/on PHI Establish appropriate BA agreements 20
21 4 - EHR Security Strategy & Design Based on results of risk assessment & understanding of current environment Can your current systems & resources support EHR? Can your BA chain s current systems & resources support EHR? Buy vs. build? In or outsource? Develop short- & long-term strategy 5 - Implementation Define controls & owners Ensure methods are integrated to detect changes to these controls Include Business Associates where applicable Ensure business & privacy departments maintain oversight of project 6 - Continuous Oversight Internal/external audit of critical controls Operational effectiveness risk assessments Oversight that retention & destruction practices are followed Logs & audit trails of disclosures Penetration testing Develop processes for new EHR requirements & additions 21
22 Related Compliance Solutions IT governance Policy & procedure development SDLC/change management Incident management Encryption Business continuity planning/disaster recovery planning Red flag/pci assistance Questions/Comments Upcoming Webinar The 2009 Form 990: Year Two of the Redesigned Forms Presented by Brian Todd, BKD, LLP Wednesday, May 26, a.m. Central time For more information about this webinar or to register, visit 22
23 Thank You Rodney Walsh, CGEIT Senior Managing Consultant BKD Risk Management Group 120 W. 12 th Street, Suite 1200 Kansas City, MO
HIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017
HIPAA How to Comply with Limited Time & Resources Jonathan Pantenburg, MHA, Senior Consultant JPantenburg@Stroudwater.com August 17, 2017 Stroudwater Associates is a leading national healthcare consulting
More informationThe HIPAA Omnibus Rule
The HIPAA Omnibus Rule What You Should Know and Do as Enforcement Begins Rebecca Fayed, Associate General Counsel and Privacy Officer Eric Banks, Information Security Officer 3 Biographies Rebecca C. Fayed
More informationHIPAA Privacy, Security and Breach Notification
HIPAA Privacy, Security and Breach Notification HCCA East Central Regional Annual Conference October 2013 Disclaimer The information contained in this document is provided by KPMG LLP for general guidance
More informationPutting It All Together:
Putting It All Together: The Interplay of Privacy & Security Regina Verde, MS, MBA, CHC Chief Corporate Compliance & Privacy Officer University of Virginia Health System 2017 ISPRO Conference October 24,
More informationUniversity of Wisconsin-Madison Policy and Procedure
Page 1 of 10 I. Policy The Health Information Technology for Economic and Clinical Health Act regulations ( HITECH ) amended the Health Information Portability and Accountability Act ( HIPAA ) to establish
More informationHow to Respond to a HIPAA Breach. Tuesday, Oct. 25, 2016
How to Respond to a HIPAA Breach Tuesday, Oct. 25, 2016 This Webinar is Brought to You By. About HealthInsight and Mountain-Pacific Quality Health HealthInsight and Mountain-Pacific Quality Health are
More informationCERT Symposium: Cyber Security Incident Management for Health Information Exchanges
Pennsylvania ehealth Partnership Authority Pennsylvania s Journey for Health Information Exchange CERT Symposium: Cyber Security Incident Management for Health Information Exchanges June 26, 2013 Pittsburgh,
More informationPrivacy & Information Security Protocol: Breach Notification & Mitigation
The VUMC Privacy Office coordinates compliance with the required notification steps and prepares the necessary notification and reporting documents. The business unit from which the breach occurred covers
More informationCyber Attacks and Data Breaches: A Legal and Business Survival Guide
Cyber Attacks and Data Breaches: A Legal and Business Survival Guide August 21, 2012 Max Bodoin, Vince Farhat, Shannon Salimone Copyright 2012 Holland & Knight LLP. All Rights Reserved What this Program
More informationFederal Breach Notification Decision Tree and Tools
Federal Breach Notification and Tools Disclaimer This document is copyright 2009 by the Long Term Care Consortium (LTCC). These materials may be reproduced and used only by long-term health care providers
More informationDATA PRIVACY & SECURITY THE CHANGING HIPAA CLIMATE
DATA PRIVACY & SECURITY THE CHANGING HIPAA CLIMATE Melodi (Mel) M. Gates mgates@pattonboggs.com (303) 894-6111 October 25, 2013 THE CHANGING PRIVACY CLIMATE z HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY
More informationDon t Be the Next Headline! PHI and Cyber Security in Outsourced Services.
Don t Be the Next Headline! PHI and Cyber Security in Outsourced Services. June 2017 Melanie Duerr Fazzi Associates Partner, Director of Coding Operations Jami Fisher Fazzi Associates Chief Information
More informationElements of a Swift (and Effective) Response to a HIPAA Security Breach
Elements of a Swift (and Effective) Response to a HIPAA Security Breach Susan E. Ziel, RN BSN MPH JD Krieg DeVault LLP Past President, The American Association of Nurse Attorneys Disclaimer The information
More informationDecrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use
Click to edit Master title style Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use Andy Petrovich, MHSA, MPH M-CEITA / Altarum Institute October 1, 2014 10/1/2014 1 1 Who is
More informationAll Aboard the HIPAA Omnibus An Auditor s Perspective
All Aboard the HIPAA Omnibus An Auditor s Perspective Rick Dakin CEO & Chief Security Strategist February 20, 2013 1 Agenda Healthcare Security Regulations A Look Back What is the final Omnibus Rule? Changes
More informationInto the Breach: Breach Notification Requirements in the Wake of the HIPAA Omnibus Rule
Into the Breach: Breach Notification Requirements in the Wake of the HIPAA Omnibus Rule The Twenty-Second National HIPAA Summit Healthcare Privacy and Security After HITECH and Health Reform Rebecca Williams,
More informationBreach Notification Remember State Law
Breach Notification HITECH: First federal law mandating breach notification for health care industry Applies to covered entities, business associates, PHR vendors, and PHR service providers FTC regulates
More informationThe HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance
The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance Russell L. Jones Partner Health Sciences Sector Deloitte & Touche LLP Security & Privacy IMLA 2013 Annual Conference San
More informationDecrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use
Click to edit Master title style Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use Andy Petrovich, MHSA, MPH M-CEITA / Altarum Institute June 21, 2016 6/21/2016 1 1 Disclaimer
More informationDeveloping Issues in Breach Notification and Privacy Regulations: Risk Managers Are you having the right conversation with the C Suite?
Developing Issues in Breach Notification and Privacy Regulations: Risk Managers Are you having the right conversation with the C Suite? Minnesota RIMS 39 th Annual Seminar Risk 2011-2012: Can You Hack
More informationSecuring IT Infrastructure Improve information exchange and comply with HIPAA, HITECH, and ACA mandates
Securing IT Infrastructure Improve information exchange and comply with HIPAA, HITECH, and ACA mandates Ruby Raley, Director Healthcare Solutions Axway Agenda Topics: Using risk assessments to improve
More informationThe HITECH Act. 5 things you can do Right Now to pave the road to compliance. 1. Secure PHI in motion.
The HITECH Act 5 things you can do Right Now to pave the road to compliance Beginning in 2011, HITECH Act financial incentives will create a $5,800,000 opportunity over four years for mid-size hospital
More informationHIPAA-HITECH: Privacy & Security Updates for 2015
South Atlantic Regional Annual Conference Orlando, FL February 6, 2015 1 HIPAA-HITECH: Privacy & Security Updates for 2015 Darrell W. Contreras, Esq., LHRM Gregory V. Kerr, CHPC, CHC Agenda 2 OCR On-Site
More informationQUALITY HIPAA December 23, 2013
December 23, 2013 Page 1 of 5 Breach, HIPAA and Protected Health Information This week, we look at the rules governing HIPAA, the HITECH Act and HIPAA Omnibus Rule. Unsecured PHI means Protected Health
More informationData Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory
Audience: NDCBF IT Security Team Last Reviewed/Updated: March 2018 Contact: Henry Draughon hdraughon@processdeliveysystems.com Overview... 2 Sensitive Data Inventory and Classification... 3 Applicable
More informationHIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp
HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp Agenda Introductions HIPAA Background and History Overview of HIPAA Requirements
More informationUpdate from HIMSS National Privacy & Security. Lisa Gallagher, VP Technology Solutions November 14, 2013
Update from HIMSS National Privacy & Security Lisa Gallagher, VP Technology Solutions November 14, 2013 Agenda Update on HIMSS new Technology Solutions Department HIPAA Omnibus Rules Meaningful Use 2 P&S
More informationCyber Risks in the Boardroom Conference
Cyber Risks in the Boardroom Conference Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing Your Company to Identify, Mitigate and Respond to Risks
More informationNeil Peters-Michaud, CHAMP Cascade Asset Management ITAM Awareness Month December 2016
Breach New Heights The role of ITAM in preventing a data breach Neil Peters-Michaud, CHAMP Cascade Asset Management ITAM Awareness Month December 2016 Agenda Why Breaches Matter to the ITAM group The cost
More informationIncident Response: Are You Ready?
Incident Response: Are You Ready? Chris Apgar, CISSP Apgar & Associates, LLC 2014 Security Incident vs. Breach Overview Security Incident Planning and Your Team Final Breach Notification Rule a refresher
More information(c) Apgar & Associates, LLC
Incident Response: Are You Ready? Chris Apgar, CISSP Apgar & Associates, LLC 2014 Security Incident vs. Breach Overview Security Incident Planning and Your Team Final Breach Notification Rule a refresher
More informationAuditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC
Auditing and Monitoring for HIPAA Compliance HCCA COMPLIANCE INSTITUTE 2003 April, 2003 Presented by: Suzie Draper Sheryl Vacca, CHC 1 The Elements of Corporate Compliance Program There are seven key elements
More information01.0 Policy Responsibilities and Oversight
Number 1.0 Policy Owner Information Security and Technology Policy Policy Responsibility & Oversight Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 1. Policy Responsibilities
More informationSecurity and Privacy Breach Notification
Security and Privacy Breach Notification Version Approval Date Owner 1.1 May 17, 2017 Privacy Officer 1. Purpose To ensure that the HealthShare Exchange of Southeastern Pennsylvania, Inc. (HSX) maintains
More informationCybersecurity in Higher Ed
Cybersecurity in Higher Ed 1 Overview Universities are a treasure trove of information. With cyber threats constantly changing, there is a need to be vigilant in protecting information related to students,
More informationSummary Comparison of Current Data Security and Breach Notification Bills
Topic S. 117 (Nelson) S. (Carper/Blunt) H.R. (Blackburn/Welch) Comments Data Security Standards The FTC shall promulgate regulations requiring information security practices that are appropriate to the
More informationHIPAA Security and Privacy Policies & Procedures
Component of HIPAA Security Policy and Procedures Templates (Updated for HITECH) Total Cost: $495 Our HIPAA Security policy and procedures template suite have 71 policies and will save you at least 400
More informationT11: Incident Response Clinic Kieran Norton, Deloitte & Touche
T11: Incident Response Clinic Kieran Norton, Deloitte & Touche Incident Response Clinic Kieran Norton Senior Manager, Deloitte First Things First Who am I? Who are you? Together we will: Review the current
More informationHIPAA Federal Security Rule H I P A A
H I P A A HIPAA Federal Security Rule nsurance ortability ccountability ct of 1996 HIPAA Introduction - What is HIPAA? HIPAA = The Health Insurance Portability and Accountability Act A Federal Law Created
More informationA Panel Discussion. Nancy Davis
A Panel Discussion 1 Nancy Davis Director of Compliance & Safety, Door County Medical Center Cathy Hansen Director, Health Information Services & Privacy Officer, St. Croix Regional Medical Center Rhonda
More informationInside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D.
Inside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D. HIPAA GENERAL RULE PHI may not be disclosed without patient authorization
More informationThe Relationship Between HIPAA Compliance and Business Associates
The Relationship Between HIPAA Compliance and Business Associates 1 HHS Wall of Shame 20% Involved Business Associates Based on HHS Breach Portal: Breaches Affecting 500 or More Individuals, Type of Breach
More informationSecurity and Privacy Governance Program Guidelines
Security and Privacy Governance Program Guidelines Effective Security and Privacy Programs start with attention to Governance. Governance refers to the roles and responsibilities that are established by
More informationReady, Willing & Able. Michael Cover, Manager, Blue Cross Blue Shield of Michigan
Ready, Willing & Able Michael Cover, Manager, Blue Cross Blue Shield of Michigan Agenda 1. Organization Overview 2. GRC Journey Story 3. GRC Program Roadmap 4. Program Objectives and Guiding Principals
More informationHospital Council of Western Pennsylvania. June 21, 2012
Updates on OCR s HIPAA Enforcement and Regulations Hospital Council of Western Pennsylvania June 21, 2012 Topics HIPAA Privacy and Security Rule Enforcement HITECH Breach Notification OCR Audit Program
More informationNew York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines
New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines New York Department of Financial Services ( DFS ) Regulation 23 NYCRR 500 requires that entities
More informationRed Flags/Identity Theft Prevention Policy: Purpose
Red Flags/Identity Theft Prevention Policy: 200.3 Purpose Employees and students depend on Morehouse College ( Morehouse ) to properly protect their personal non-public information, which is gathered and
More informationHIPAA 101: What All Doctors NEED To Know
HIPAA 101: What All Doctors NEED To Know 1 HIPAA Basics HIPAA: Health Insurance and Portability Accountability Act of 1996 Purpose: to protect confidential information through improved security and privacy
More informationMANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors
Page 1 of 6 Applies to: faculty staff students student employees visitors contractors Effective Date of This Revision: June 1, 2018 Contact for More Information: HIPAA Privacy Officer Board Policy Administrative
More informationTechnology Workshop HIPAA Security Risk Assessment: What s Next? January 9, 2014
Technology Workshop HIPAA Security Risk Assessment: What s Next? January 9, 2014 Welcome! Thank you for joining us today. In today s call we ll cover the Security Assessment and next steps. If you want
More informationSecurity Rule for IT Staffs. J. T. Ash University of Hawaii System HIPAA Compliance Officer
Security Rule for IT Staffs J. T. Ash University of Hawaii System HIPAA Compliance Officer jtash@hawaii.edu hipaa@hawaii.edu Disclaimer HIPAA is a TEAM SPORT and everyone has a role in protecting protected
More informationHow Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq.
How Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq. Word Count: 2,268 Physician practices have lived with the reality of HIPAA for over twenty years. In that time, it has likely
More informationHIPAA Tips and Advice for Your. Medical Practice
HIPAA Tips and Advice for Your Ericka L. Adler Medical Practice Rachel V. Rose WHY Header HIPAA PATIENT and Medical PORTALS? Practices HIPAA Basics Who is a covered entity? What is PHI? When can you disclose
More informationAgenda. Hungry, Hungry HIPAA: Security, Enforcement, Audits, & More. Health Law Institute
Health Law Institute Hungry, Hungry HIPAA: Security, Enforcement, Audits, & More Brooke Bennett Aziere October 18, 2017 Agenda Enforcement Trends Phase 2 HIPAA Audits Upcoming Initiatives 1 Enforcement
More informationHIPAA and HIPAA Compliance with PHI/PII in Research
HIPAA and HIPAA Compliance with PHI/PII in Research HIPAA Compliance Federal Regulations-Enforced by Office of Civil Rights State Regulations-Texas Administrative Codes Institutional Policies-UTHSA HOPs/IRB
More informationDavid C. Marshall, Esq. PACAH 2017 Spring Conference April 27, 2017
David C. Marshall, Esq. PACAH 2017 Spring Conference April 27, 2017 Privacy and security of patient information held by health care providers remains a concern of the federal government. More resources
More informationHIPAA FOR BROKERS. revised 10/17
HIPAA FOR BROKERS revised 10/17 COURSE PURPOSE The purpose of this information is to help ensure that all Optima Health Brokers are prepared to protect the privacy and security of our members health information.
More informationSECURITY STATE OF THE INDUSTRY
SECURITY STATE OF THE INDUSTRY An Interview with Stephen Treglia JD, HCISPP, HIPAA Compliance Officer, Investigations Section, Absolute OVERVIEW The health sector is rapidly adopting new technologies,
More informationData Security: Public Contracts and the Cloud
Data Security: Public Contracts and the Cloud July 27, 2012 ABA Public Contract Law Section, State and Local Division Ieuan Mahony Holland & Knight ieuan.mahony@hklaw.com Roadmap Why is security a concern?
More informationAudits Accounting of disclosures
Once more unto the breach Mastering HIPAA s data breach notification requirements September 20, 2011 Presented by: Kathy Kenady Senior Loss Prevention Representative Medical Insurance Exchange of California
More information2017 RIMS CYBER SURVEY
2017 RIMS CYBER SURVEY This report marks the third year that RIMS has surveyed its membership about cyber risks and transfer practices. This is, of course, a topic that only continues to captivate the
More informationCybersecurity and Hospitals: A Board Perspective
Cybersecurity and Hospitals: A Board Perspective Cybersecurity is an important issue for both the public and private sector. At a time when so many of our activities depend on information systems and technology,
More informationPTLGateway Data Breach Policy
1 PTLGateway Data Breach Policy Last Updated Date: 02 March 2018 Data Breach Policy This page informs you of our policy which is to establish the goals and the vision for the breach response process. This
More information<< Practice Test Demo - 2PassEasy >> Exam Questions CISM. Certified Information Security Manager. https://www.2passeasy.
Exam Questions CISM Certified Information Security Manager https://www.2passeasy.com/dumps/cism/ 1.Senior management commitment and support for information security can BEST be obtained through presentations
More informationSECURITY & PRIVACY DOCUMENTATION
Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive
More informationTerms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in the HIPAA Privacy Rule.
Medical Privacy Version 2018.03.26 Business Associate Agreement This Business Associate Agreement (the Agreement ) shall apply to the extent that the Lux Scientiae HIPAA Customer signee is a Covered Entity
More informationCloud Communications for Healthcare
Cloud Communications for Healthcare Today, many powerful business communication challenges face everyone in the healthcare chain including clinics, hospitals, insurance providers and any other organization
More informationBeam Technologies Inc. Privacy Policy
Beam Technologies Inc. Privacy Policy Introduction Beam Technologies Inc., Beam Dental Insurance Services LLC, Beam Insurance Administrators LLC, Beam Perks LLC, and Beam Insurance Services LLC, (collectively,
More information"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary
Course Summary Description In this course, you will perform evaluations of organizational policies, procedures, and processes to ensure that an organization's information systems align with overall business
More informationAnticipating the wider business impact of a cyber breach in the health care industry
Anticipating the wider business impact of a cyber breach in the health care industry John Gelinne, Director Cyber Risk Services Deloitte & Touche LLP jgelinne@deloitte.com commodore_22 Hector Calzada,
More informationHIPAA Compliance Officer Training By HITECH Compliance Associates. Building a Culture of Compliance
HIPAA Compliance Officer Training By HITECH Compliance Associates Building a Culture of Compliance Your Instructor Is Michael McCoy Nationally Recognized HIPAA Expert » Nothing contained herein should
More informationWHITE PAPER. HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty
WHITE PAPER HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty WHITE PAPER HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty By Jill Brooks, MD, CHCO and Katelyn Byrne, BSN, RN Data Breaches
More informationUpdate on HIPAA Administration and Enforcement. Marissa Gordon-Nguyen, JD, MPH October 7, 2016
Update on HIPAA Administration and Enforcement Marissa Gordon-Nguyen, JD, MPH October 7, 2016 Updates Policy Development Breaches Enforcement Audit 2 POLICY DEVELOPMENT RECENTLY PUBLISHED: RIGHT OF ACCESS,
More informationHIPAA & Privacy Compliance Update
HIPAA & Privacy Compliance Update Vermont Medical Society FREE Wednesday Webinar Series March 15, 2017 Anne Cramer and Shireen Hart Primmer Piper Eggleston & Cramer PC acramer@primmer.com shart@primmer.com
More informationHIPAA Security Manual
2010 HIPAA Security Manual Revised with HITECH ACT Amendments Authored by J. Kevin West, Esq. 2010 HALL, FARLEY, OBERRECHT & BLANTON, P.A. DISCLAIMER This Manual is designed to set forth general policies
More informationSeven gray areas of HIPAA you can t ignore
White Paper: HIPAA Gray Areas Seven gray areas of HIPAA you can t ignore This guide exists to shed some light on some of the gray areas of HIPAA (the Health Insurance Portability and Accountability Act).
More informationUnderstanding the Impact of Data Privacy January 2012
Understanding the Impact of Data Privacy January 2012 Presented By: Eric Dieterich Agenda Why is data privacy important Quantifying the costs of a data breach Clarifying the differences between a privacy
More informationHIPAA ( ) HIPAA 2017 Compliancy Group, LLC
855 85 HIPAA (855-854-4722) www.compliancygroup.com 1 Started in 2005 by HIPAA auditors & Compliance experts Market need for a total end client solution Created The Guard: cloud-based solution Compliance
More informationEHR SECURITY POLICIES & SECURITY SITE ASSESSMENT OVERVIEW WEBINAR. For Viewer Sites
EHR SECURITY POLICIES & SECURITY SITE ASSESSMENT OVERVIEW WEBINAR For Viewer Sites Agenda 1 Introduction and EHR Security Policies Background 2 EHR Security Policy Overview 3 EHR Security Policy Assessment
More information10/18/2016. Preparing Your Organization for a HHS OIG Information Security Audit. Models for Risk Assessment
Preparing Your Organization for a HHS OIG Information Security Audit David Holtzman, JD, CIPP/G CynergisTek, Inc. Brian C. Johnson, CPA, CISA HHS OIG Section 1: Models for Risk Assessment Section 2: Preparing
More informationElectronic Communication of Personal Health Information
Electronic Communication of Personal Health Information A presentation to the Porcupine Health Unit (Timmins, Ontario) May 11 th, 2017 Nicole Minutti, Health Policy Analyst Agenda 1. Protecting Privacy
More informationHIPAA in 2017: Hot Topics You Can t Ignore. Danika Brinda, PhD, RHIA, CHPS, HCISPP March 16, 2017
HIPAA in 2017: Hot Topics You Can t Ignore Danika Brinda, PhD, RHIA, CHPS, HCISPP March 16, 2017 Breach Notification State Law Privacy Rule Authorizations Polices and Procedures The Truth Is Have created
More informationKeeping It Under Wraps: Personally Identifiable Information (PII)
Keeping It Under Wraps: Personally Identifiable Information (PII) Will Robinson Assistant Vice President Information Security Officer & Data Privacy Officer Federal Reserve Bank of Richmond March 14, 2018
More informationHIPAA / HITECH Overview of Capabilities and Protected Health Information
HIPAA / HITECH Overview of Capabilities and Protected Health Information August 2017 Rev 1.8.9 2017 DragonFly Athletics, LLC 2017, DragonFly Athletics, LLC. or its affiliates. All rights reserved. Notices
More informationby Robert Hudock and Patricia Wagner April 2009 Introduction
HITECH Updates: Proposed Health Breach Notification Rule Promulgated by the FTC; HHS Releases Guidance on How to Render PHI Unusable, Unreadable, or Indecipherable by Robert Hudock and Patricia Wagner
More informationCertification Commission for Healthcare Information Technology. CCHIT A Catalyst for EHR Adoption
Certification Commission for Healthcare Information Technology CCHIT A Catalyst for EHR Adoption Alisa Ray, Executive Director, CCHIT Sarah Corley, MD, Chief Medical Officer, NextGen Healthcare Systems;
More informationInformation Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV
Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV Location: https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/identify/ndcbf _ITSecPlan_IDGV2017.pdf
More informationORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers
All Affiliate Research Policy Subject: HIPAA File Under: For Researchers ORA HIPAA Issuing Department: Office of Research Administration Original Policy Date Page 1 of 5 Approved by: May 9,2005 Revision
More informationCertified Information Security Manager (CISM) Course Overview
Certified Information Security Manager (CISM) Course Overview This course teaches students about information security governance, information risk management, information security program development,
More informationGetting Security Right: The CISO of the Future
Getting Security Right: The CISO of the Future Presented by: Mac McMillan CEO, CynergisTek CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com
More informationLCU Privacy Breach Response Plan
LCU Privacy Breach Response Plan Sept 2018 Prevention Communication & Notification Evaluation of Risks Breach Containment & Preliminary Assessment Introduction The Credit Union makes every effort to safeguard
More informationSubject: University Information Technology Resource Security Policy: OUTDATED
Policy 1-18 Rev. 2 Date: September 7, 2006 Back to Index Subject: University Information Technology Resource Security Policy: I. PURPOSE II. University Information Technology Resources are at risk from
More informationHIPAA Privacy & Security Training. Privacy and Security of Protected Health Information
HIPAA Privacy & Security Training Privacy and Security of Protected Health Information Course Competencies: This training module addresses the essential elements of maintaining the HIPAA Privacy and Security
More informationVirginia Commonwealth University School of Medicine Information Security Standard
Virginia Commonwealth University School of Medicine Information Security Standard Title: Scope: Personnel Security Standard This standard is applicable to all VCU School of Medicine personnel. Approval
More informationA Checklist for Compliance in the Cloud 1. A Checklist for Compliance in the Cloud
A Checklist for Compliance in the Cloud 1 A Checklist for Compliance in the Cloud A Checklist for Compliance in the Cloud 1 With the industrialization of hacking and the enormous impact of security breaches,
More informationAltius IT Policy Collection Compliance and Standards Matrix
Governance Context and Alignment Policy 4.1 4.4 800-26 164.308 12.4 EDM01 IT Governance Policy 5.1 800-30 12.5 EDM02 Leadership Mergers and Acquisitions Policy A.6.1.1 800-33 EDM03 Context Terms and Definitions
More informationSecurity Policies and Procedures Principles and Practices
Security Policies and Procedures Principles and Practices by Sari Stern Greene Chapter 3: Information Security Framework Objectives Plan the protection of the confidentiality, integrity and availability
More informationHIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED
HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED HEALTHCARE ORGANIZATIONS ARE UNDER INTENSE SCRUTINY BY THE US FEDERAL GOVERNMENT TO ENSURE PATIENT DATA IS PROTECTED Within
More informationThank you, and enjoy the webinar.
Disclaimer This webinar may be recorded. This webinar presents a sampling of best practices and overviews, generalities, and some laws. This should not be used as legal advice. Itentive recognizes that
More informationMeaningful Use Audit, Is Your Organization Ready!
Meaningful Use Audit, Is Your Organization Ready! Presenters: Pavan Attur, Director of Applications, St. John s Episcopal Hospital Bill Presley, Vice President Product Development, Acmeware Education Session
More information