WHITE PAPER. HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty
|
|
- Elaine Spencer
- 6 years ago
- Views:
Transcription
1 WHITE PAPER HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty
2 WHITE PAPER HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty By Jill Brooks, MD, CHCO and Katelyn Byrne, BSN, RN Data Breaches Months Months 2014 Theft Hacking / IT Incident Loss Disclosure Improper Disposal Not Specified 2015 breach reports for HIPAA have already surpassed the 100 mark with 110 reported June YTD. The average total cost of a data breach is $3.8 million-an increase of 23% since 2013 according to IBM s tenth annual Cost of Data Breach Study. The study also reports that the cost incurred for each lost or stolen record containing sensitive and confidential information increased 6% to $154 average cost per record breached. Yet in healthcare, the cost is more than double at $363/ record! Source:
3 Many healthcare organizations may consider themselves unlikely to incur a breach, yet this same study reports a 22% probability of a breach occurring over 24 months. This white paper summarizes how to help protect your practice or organization from becoming a casualty of a HIPAA breach. Conduct a Risk Assessment Conduct a risk assessment in accordance with the HIPAA Privacy and Security Rules that govern the transmission of all electronic patient information. The risk assessment will force you to review security policies, identify threats and uncover vulnerabilities. Covered entities should be aware of differences between the Privacy and Security Rule requirements regarding protected health information. One major distinction is that the HIPAA Security Rule only applies to electronic protected health information (e-phi). A covered entity is responsible for maintaining confidentiality, integrity and availability of all e-phi. Under the HIPAA Security Rule, covered entities are required to do a risk analysis to document any risks or vulnerabilities to e-phi. Any risks or vulnerabilities identified should be appropriately addressed and steps for mitigation documented, including necessary changes to policies and procedures. All documents should be retained for a minimum of six years. A plan should be developed based on the results of the risk analysis, and should include how your practice or healthcare organization uses the administrative, physical and technical safeguards to mitigate risks. This risk analysis should be an ongoing process and to achieve Meaningful Use, a review is required periodically. This is not a one-size fits all so the security measures are scalable to any size practice or healthcare organization. The Administrative, Physical and Technical Safeguards are the focus of the OCR Audit Program Protocol for the Security Rule. Covered entities must comply with all of the standards listed below and some of these standards also have required implementation specifications that must be followed: Administrative Safeguards Security Management Process (Required Implementation Specifications for Risk Analysis, Risk Management, Sanction Policy, Information System Activity Review) Assigned Security Responsibility (Required Implementation Specification to Identify Security Official) Workforce Security Information Access Management (Required Implementation Specifications for Isolating Healthcare Clearinghouse Function) Security Awareness and Training Security Incident Procedures (Required Implementation Specification for Response and Reporting) Contingency Plan (Required Implementation Specifications for Data Backup Plan and Disaster Recovery Plan and Develop and Implementation of an Emergent Mode Operation Plan)
4 Evaluation (Required Implementation Specification for Periodic Technical and Non-technical Evaluation) Business Associate Contracts and Other Arrangements (Required Implementation Specifications for a Written Contract) Physical Safeguards Facility Access Controls Workstation Use (Required Implementation Specification for Function and Physical Attributes) Workstation Security (Required Implementation Specification for Physical Safeguards and Access Restrictions) Device and Media Controls (Required Implementation Specifications regarding Methods for Final Disposal of e-phi and Procedures for Reuse of Electronic Media) Technical Safeguards Access Controls (Required Implementation Specifications to Assign All System Users a Unique Identifier and to Establish Emergency Access Procedure) Audit Controls (Required Implementation Specification to Record and Examine Activity) Integrity Controls Transmission Controls Person or Entity Authentication (Required Implementation Specification for Authentication Procedures) With the enactment of HITECH, the HIPAA Enforcement Rule allows Civil Monetary Penalties (CMP) for violations of the Privacy and/or Security Rules. A covered entity could be assessed a fine of up to $1.5M for identical violations in one calendar year even if the covered entity did not know about a violation. If known, the correction must occur in 30 days from discovery or be subject to maximum penalties. Continue HIPAA Education Educate your employees so that they understand that the security of patient health information is an integral part of their professional responsibility. Continually educate employees on current HIPAA rules and regulations, and review state regulations involving the privacy of patient information. When employees are frequently reminded of the implications of data breaches, the risk of violating them is significantly reduced. Training and education on the practice or organization s HIPAA policies and procedures should also be ongoing to ensure all employees are aware of their responsibilities to keep the patient information private and secure. For instance, a covered entity must obtain an individual s written authorization for any use or disclosure of PHI that is not related to treatment, payment or healthcare operations with a few otherwise permitted exceptions. Reasonable efforts should be made by the covered entity to disclose the minimum amount of PHI necessary for the intended purpose, and access to PHI should only be designated to those employees with duties requiring access. Understanding the Privacy Rule Covered entities have several requirements under the Privacy Rule. The purpose of the rule is to protect and secure individually identifiable patient information and the covered provider
5 has the ultimate responsibility for HIPAA compliance. Compliance with the Privacy Rule was required on April 14, According to the OCR s HIPAA Audit Program Protocol for covered entities on Privacy Rule requirements, the following processes, controls and policies will be reviewed: Notice of Privacy Practices for PHI Rights to request privacy protection for PHI Access of individuals to PHI Administrative requirements Uses and disclosures of PHI Amendment of PHI Accounting of disclosures A couple of important aspects of the rule involve practical steps such as assigning a privacy/security officer and staff training. Your employees should be aware of who is serving these important roles. The privacy and security officer should develop, document and maintain policies and procedures, and work with the IT team and EHR vendors. Office policies and procedures should be reviewed and updated as needed to ensure that every possible system is in place to secure and protect all PHI, which under the Privacy Rule applies to any PHI-oral, paper or electronic. Most importantly, the staff must be continually educated about any changes to existing Privacy policies and procedures. Monitor Devices and Records The OCR reports 34 data breach incidents affecting more than 500 people from January through mid August About half are related to theft, most commonly involving laptops, desktop computers and other portable electronic devices. It is important to frequently remind employees to be watchful of any electronic devices or records left unattended. While it is the job of your IT staff to safeguard patient information, employees also need to be mindful of their role in keeping patient data safe by watching devices and patient records. Encrypt Data & Hardware While theft and loss remains a key source of data breaches, even more surprising is the vulnerability of hacking into healthcare-related devices. Frequently used devices in healthcare that cannot be overlooked during a security risk assessment as they have proven to be vulnerable include: Virtual private network Firewalls Software Printer/Scanner/Fax Mail Servers Many breach incidents involving theft or loss could have been avoided with the use of encryption technology to avoid data breaches. While HIPAA doesn t require the encryption of data, it also does not consider the loss of encrypted data a breach. Encrypting patient information is one way to avoid potential penalties, and also protect your other vulnerabilities associated with hardware (servers, networks, mobile and other medical devices). Ensure networks with public access do not expose private patient information. Instead, create dedicated secure networks for the transmission of patient information.
6 Scrutinize Service-Level Agreements If you are considering retaining patient information and data on the cloud, be certain that the Service Level Agreement (SLA) you have with your Cloud Service Provider clearly states that you own the data and that it can be accessed securely and timely. Also ensure that the SLA complies with HIPAA and state privacy laws. Make Business Associates Accountable Update and maintain business associate agreements that reflect changes to federal and state privacy regulations. Healthcare organizations usually have many vendors with access to patient data. In the event of a breach, the healthcare practice or organization is responsible. Hold your Business Associates (BAs) accountable for putting safeguards in place to protect PHI, providing security and risk assessments and for reporting breaches immediately to the covered entity. Understand Risks of Being Mobile and Social The dynamic nature of technology creates more ways to become susceptible to data breaches. Texting, the use of mobile devices and social media used commonly among health care workers, increase this likelihood. Is texting patient information a part of how you communicate? Quicker than a phone call, texting is often utilized by healthcare workers to convey work-related information. It is important to ensure that you are texting in a HIPAA compliant manner. Texting has become a routine means of communication for most mobile phone users, including healthcare providers. Approximately three-quarters of clinicians use texting to exchange work-related information with other clinicians (see Frost and Sullivan 2011). The convenience, ease and speed of text messaging are all appealing. Due to HIPAA Privacy and Security rules, texting presents many compliance issues. Standard text messaging is not secure and should never be used to exchange patient information. Secure text messaging can be done within the HIPAA regulations but there are several things to consider (Adam Greene April 2012): Password protection and encryption. Check with the vendor regarding the security of the mobile device. Policy regarding what patient information, if any, will be shared. Immediate deletion of all texts regarding patient information to reduce possibility of unauthorized third party exposure. Ability to remotely clear the mobile device in case of theft. Usage of texting must be disclosed in Notice of Privacy Practices. Documentation of texted information in patient s record if the shared information affects the patient s care. Patient must be able to request amendment of their record, according to Privacy Rule. Business associate agreement with mobile device carrier if text information is stored on server on a routine basis or sent via . Immediate disclosure of a security breach and corrective action within 30 days.
7 Are your mobile devices HIPAA compliant? Significant civil and criminal penalties including large fines, loss of licensure and even imprisonment are associated with HIPAA violations regarding the exchange of e-phi. To avoid these possible penalties, ensure your mobile phone usage is in compliance with HIPAA Privacy and Security Rules. As the world of healthcare evolves, more and more healthcare providers are utilizing mobile devices when conducting business. In fact, having a mobile device is almost a necessity in this day and age of healthcare. Healthcare workers who utilize mobile devices need to ensure that they are not risking data breaches and must protect private patient information. If you are a covered entity, you are responsible for complying with HIPAA regulations for securing private patient information, including when using mobile devices. Here are several guidelines to ensure proper security when using mobile devices: Before allowing the use of mobile devices, decide whether they will be used to access, retrieve, or store patient data or as part of your organization s internal EHR system. Think about the threats that mobile devices pose to the confidentiality of patient information your organization holds. Identify a risk management strategy for mobile devices. Evaluate and maintain the safeguards your organization has in place for mobile devices. Develop, document, and implement a policy for your organization regarding safeguarding private health information. Conduct ongoing privacy training for mobile device users in the workplace. Do you risk violating HIPAA on social media? As technology advances so has social media, with more and more platforms arising for people to communicate anytime, anywhere and with anyone. With an increase of social media presence in our lives, comes an increase in possibilities to breach patient confidentiality. Healthcare workers may not even realize that providing vague details about their day on a social media platform can put them at risk for disclosing personal patient information. Facebook, Twitter, Instagram, Snapchat, YouTube, blogs, web pages, Google+, LinkedIn can all get healthcare providers in trouble under HIPAA, state privacy laws, and state medical laws. Data breaches in the healthcare community have risen from physicians and other healthcare professionals increased use of social media. Most of these breaches could have been avoided. Any disclosure of a patient s protected health information (PHI) through social media can be a problem. Here are some tips to avoid violating HIPAA with social media: Do not talk about patients online, even in general terms. Simply avoiding using a patient s name is not enough. Identifiable factors, such as patient age and medical condition should also be avoided. Talking about disease conditions, treatment options, and research is okay. Talking about specific patients with these disease conditions is not okay. Do not blog anonymously. Being anonymous gives people a false sense of
8 power, making them feel they can say whatever they want without consequence. If you would not say it in a crowded elevator, do not post it online. Have a friend check your posts before you share them. What might be funny to you may not come off as funny to others. A fresh set of eyes can help assess whether or not you are heading down a slippery slope. Keep your personal and professional lives separate. Do not friend request patients from your personal accounts. Have your posts set so that only friends can view them. Check your privacy settings monthly, as they can change. As technology and legislation increase and evolve, your policies and procedures need to be updated to stay current. Plan to review them at least once every six months, and be sure your social media policy includes a section on PHI. Conclusion This whitepaper summarizes ways to help protect your healthcare practice or organization against data breaches. Having policies and guidelines in place and communicated for employees to follow is important for them to know what they can and cannot do. Having a full compliance program in place can help ensure you are HIPAA compliant and protect your entity against data breaches. From policies and procedures to employee training and risk assessments, First Healthcare Compliance offers a comprehensive compliance management program solution to ensure your entity is HIPAA compliant and maintains compliance not just in HIPAA but in all areas mandated by the Affordable Care Act (ACA). Avoid The Wall of Shame Healthcare entities have enhanced visibility of privacy and security breaches. As part of HITECH, any breach of over 500 individuals will be posted on The Wall of Shame on the HHS website. To avoid joining this list, continually monitor your practice or healthcare organization for vulnerabilities and threats and mitigate any potential risks to PHI to prevent avoidable breaches.
9 Our Solution: Confidently manage compliance with the First Healthcare Compliance comprehensive compliance management solution which provides you the visibility, oversight, controls and tools to manage your organization s compliance program from the topdown and from the bottom-up. Mitigate your risk and drive compliance with our customized, scalable cloud-based solution coupled with live support from our team of experts in healthcare compliance. First Healthcare Compliance FIRST 3903 Centerville Road Wilmington, DE First Healthcare Compliance LLC. All rights reserved.
HIPAA Security and Privacy Policies & Procedures
Component of HIPAA Security Policy and Procedures Templates (Updated for HITECH) Total Cost: $495 Our HIPAA Security policy and procedures template suite have 71 policies and will save you at least 400
More informationHIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp
HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp Agenda Introductions HIPAA Background and History Overview of HIPAA Requirements
More informationIT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I
Standards Sections Checklist Section Security Management Process 164.308(a)(1) Information Security Program Risk Analysis (R) Assigned Security Responsibility 164.308(a)(2) Information Security Program
More informationPutting It All Together:
Putting It All Together: The Interplay of Privacy & Security Regina Verde, MS, MBA, CHC Chief Corporate Compliance & Privacy Officer University of Virginia Health System 2017 ISPRO Conference October 24,
More informationHIPAA in 2017: Hot Topics You Can t Ignore. Danika Brinda, PhD, RHIA, CHPS, HCISPP March 16, 2017
HIPAA in 2017: Hot Topics You Can t Ignore Danika Brinda, PhD, RHIA, CHPS, HCISPP March 16, 2017 Breach Notification State Law Privacy Rule Authorizations Polices and Procedures The Truth Is Have created
More informationHIPAA Federal Security Rule H I P A A
H I P A A HIPAA Federal Security Rule nsurance ortability ccountability ct of 1996 HIPAA Introduction - What is HIPAA? HIPAA = The Health Insurance Portability and Accountability Act A Federal Law Created
More informationHealthcare Privacy and Security:
Healthcare Privacy and Security: Breach prevention and mitigation/ Insuring for breach Colin J. Zick Foley Hoag LLP (617) 832-1000 www.foleyhoag.com www.securityprivacyandthelaw.com Boston Bar Association
More informationDecrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use
Click to edit Master title style Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use Andy Petrovich, MHSA, MPH M-CEITA / Altarum Institute October 1, 2014 10/1/2014 1 1 Who is
More informationPolicy and Procedure: SDM Guidance for HIPAA Business Associates
Policy and Procedure: SDM Guidance for HIPAA Business (Adapted from UPMC s Guidance for Business at http://www.upmc.com/aboutupmc/supplychainmanagement/documents/guidanceforbusinessassociates.pdf) Effective:
More informationUpdate on HIPAA Administration and Enforcement. Marissa Gordon-Nguyen, JD, MPH October 7, 2016
Update on HIPAA Administration and Enforcement Marissa Gordon-Nguyen, JD, MPH October 7, 2016 Updates Policy Development Breaches Enforcement Audit 2 POLICY DEVELOPMENT RECENTLY PUBLISHED: RIGHT OF ACCESS,
More informationHow Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq.
How Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq. Word Count: 2,268 Physician practices have lived with the reality of HIPAA for over twenty years. In that time, it has likely
More informationChecklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates. Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP)
Checklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP) ecfirst, chief executive Member, InfraGard Compliance Mandates Key Regulations
More informationSecurity Rule for IT Staffs. J. T. Ash University of Hawaii System HIPAA Compliance Officer
Security Rule for IT Staffs J. T. Ash University of Hawaii System HIPAA Compliance Officer jtash@hawaii.edu hipaa@hawaii.edu Disclaimer HIPAA is a TEAM SPORT and everyone has a role in protecting protected
More informationThe simplified guide to. HIPAA compliance
The simplified guide to HIPAA compliance Introduction HIPAA, the Health Insurance Portability and Accountability Act, sets the legal requirements for protecting sensitive patient data. It s also an act
More informationHIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED
HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED HEALTHCARE ORGANIZATIONS ARE UNDER INTENSE SCRUTINY BY THE US FEDERAL GOVERNMENT TO ENSURE PATIENT DATA IS PROTECTED Within
More informationEXHIBIT A. - HIPAA Security Assessment Template -
Department/Unit: Date: Person(s) Conducting Assessment: Title: 1. Administrative Safeguards: The HIPAA Security Rule defines administrative safeguards as, administrative actions, and policies and procedures,
More informationHIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017
HIPAA How to Comply with Limited Time & Resources Jonathan Pantenburg, MHA, Senior Consultant JPantenburg@Stroudwater.com August 17, 2017 Stroudwater Associates is a leading national healthcare consulting
More informationORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers
All Affiliate Research Policy Subject: HIPAA File Under: For Researchers ORA HIPAA Issuing Department: Office of Research Administration Original Policy Date Page 1 of 5 Approved by: May 9,2005 Revision
More informationAgenda. Hungry, Hungry HIPAA: Security, Enforcement, Audits, & More. Health Law Institute
Health Law Institute Hungry, Hungry HIPAA: Security, Enforcement, Audits, & More Brooke Bennett Aziere October 18, 2017 Agenda Enforcement Trends Phase 2 HIPAA Audits Upcoming Initiatives 1 Enforcement
More informationHIPAA Privacy and Security. Kate Wakefield, CISSP/MLS/MPA Information Security Analyst
HIPAA Privacy and Security Kate Wakefield, CISSP/MLS/MPA Information Security Analyst Kwakefield@costco.com Presentation Overview HIPAA Legislative history & key dates. Who is affected? Employers too!
More informationHIPAA FOR BROKERS. revised 10/17
HIPAA FOR BROKERS revised 10/17 COURSE PURPOSE The purpose of this information is to help ensure that all Optima Health Brokers are prepared to protect the privacy and security of our members health information.
More informationThe ABCs of HIPAA Security
The ABCs of HIPAA Security Daniel F. Shay, Esq 24 th Annual Health Law Institute Pennsylvania Bar Institute March 13, 2018 c. 2018 Alice G. Gosfield and Associates PC 1 Daniel F. Shay, Esq. Alice G. Gosfield
More informationData Backup and Contingency Planning Procedure
HIPAA Security Procedure HIPAA made Easy Data Backup and Contingency Planning Procedure Please fill in date implemented and updates for your facility: Goal: This document will serve as our back-up storage
More informationInside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D.
Inside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D. HIPAA GENERAL RULE PHI may not be disclosed without patient authorization
More informationThe Relationship Between HIPAA Compliance and Business Associates
The Relationship Between HIPAA Compliance and Business Associates 1 HHS Wall of Shame 20% Involved Business Associates Based on HHS Breach Portal: Breaches Affecting 500 or More Individuals, Type of Breach
More informationHIPAA Security Checklist
HIPAA Security Checklist The following checklist summarizes the HIPAA Security Rule requirements that should be implemented by both covered entities and business associates. The citations are to 45 CFR
More informationHIPAA COMPLIANCE AND DATA PROTECTION Page 1
HIPAA COMPLIANCE AND DATA PROTECTION info@resultstechnology.com 877.435.8877 Page 1 CONTENTS Introduction..... 3 The HIPAA Security Rule... 4 The HIPAA Omnibus Rule... 6 HIPAA Compliance and RESULTS Cloud
More informationHIPAA Security Checklist
HIPAA Security Checklist The following checklist summarizes the HIPAA Security Rule requirements that should be implemented by both covered entities and business associates. The citations are to 45 CFR
More informationDepartment of Public Health O F S A N F R A N C I S C O
PAGE 1 of 7 Category: Information Technology Security and HIPAA DPH Unit of Origin: Department of Public Health Policy Owner: Phillip McDown, CISSP Phone: 255-3577 CISSPCISSP/C Distribution: DPH-wide Other:
More informationHIPAA Privacy & Security Training. Privacy and Security of Protected Health Information
HIPAA Privacy & Security Training Privacy and Security of Protected Health Information Course Competencies: This training module addresses the essential elements of maintaining the HIPAA Privacy and Security
More informationHIPAA-HITECH: Privacy & Security Updates for 2015
South Atlantic Regional Annual Conference Orlando, FL February 6, 2015 1 HIPAA-HITECH: Privacy & Security Updates for 2015 Darrell W. Contreras, Esq., LHRM Gregory V. Kerr, CHPC, CHC Agenda 2 OCR On-Site
More informationThe HIPAA Omnibus Rule
The HIPAA Omnibus Rule What You Should Know and Do as Enforcement Begins Rebecca Fayed, Associate General Counsel and Privacy Officer Eric Banks, Information Security Officer 3 Biographies Rebecca C. Fayed
More informationHIPAA/HITECH Privacy & Security Checklist Assessment HIPAA PRIVACY RULE
164.502 Develop "minimum necessary" policies for: HIPAA PRIVACY RULE 164.514 - Uses 15 Exempts disclosure for the purpose of treatment from the minimum necessary standard. Page references for - Routine
More informationHIPAA Security. 3 Security Standards: Physical Safeguards. Security Topics
HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical
More informationAuditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC
Auditing and Monitoring for HIPAA Compliance HCCA COMPLIANCE INSTITUTE 2003 April, 2003 Presented by: Suzie Draper Sheryl Vacca, CHC 1 The Elements of Corporate Compliance Program There are seven key elements
More informationAll Aboard the HIPAA Omnibus An Auditor s Perspective
All Aboard the HIPAA Omnibus An Auditor s Perspective Rick Dakin CEO & Chief Security Strategist February 20, 2013 1 Agenda Healthcare Security Regulations A Look Back What is the final Omnibus Rule? Changes
More informationUpdate on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules
Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules Marissa Gordon-Nguyen Office for Civil Rights (OCR) U.S. Department of Health and Human Services June
More informationIntegrating HIPAA into Your Managed Care Compliance Program
Integrating HIPAA into Your Managed Care Compliance Program The First National HIPAA Summit October 16, 2000 Mark E. Lutes, Esq. Epstein Becker & Green, P.C. 1227 25th Street, N.W., Suite 700 Washington,
More informationNeil Peters-Michaud, CHAMP Cascade Asset Management ITAM Awareness Month December 2016
Breach New Heights The role of ITAM in preventing a data breach Neil Peters-Michaud, CHAMP Cascade Asset Management ITAM Awareness Month December 2016 Agenda Why Breaches Matter to the ITAM group The cost
More informationefolder White Paper: HIPAA Compliance
efolder White Paper: HIPAA Compliance November 2015 Copyright 2015, efolder, Inc. Abstract This paper outlines how companies can use certain efolder services to facilitate HIPAA and HITECH compliance within
More informationHIPAA Compliance Checklist
HIPAA Compliance Checklist Hospitals, clinics, and any other health care providers that manage private health information today must adhere to strict policies for ensuring that data is secure at all times.
More informationHIPAA Privacy and Security. Rochelle Steimel, HIPAA Privacy Official Judy Smith, Staff Development January 2012
HIPAA Privacy and Security Rochelle Steimel, HIPAA Privacy Official Judy Smith, Staff Development January 2012 Goals and Objectives Course Goal: Can serve as annual HIPAA training for physician practice
More informationSecurity and Privacy Breach Notification
Security and Privacy Breach Notification Version Approval Date Owner 1.1 May 17, 2017 Privacy Officer 1. Purpose To ensure that the HealthShare Exchange of Southeastern Pennsylvania, Inc. (HSX) maintains
More informationHIPAA Compliance Officer Training By HITECH Compliance Associates. Building a Culture of Compliance
HIPAA Compliance Officer Training By HITECH Compliance Associates Building a Culture of Compliance Your Instructor Is Michael McCoy Nationally Recognized HIPAA Expert » Nothing contained herein should
More informationUniversity of Pittsburgh Security Assessment Questionnaire (v1.7)
Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.7) Directions and Instructions for completing this assessment The answers provided
More informationHIPAA ( ) HIPAA 2017 Compliancy Group, LLC
855 85 HIPAA (855-854-4722) www.compliancygroup.com 1 Started in 2005 by HIPAA auditors & Compliance experts Market need for a total end client solution Created The Guard: cloud-based solution Compliance
More informationLesson Three: False Claims Act and Health Insurance Portability and Accountability Act (HIPAA)
Lesson Three: False Claims Act and Health Insurance Portability and Accountability Act (HIPAA) Introduction: Welcome to Honesty and Confidentiality Lesson Three: The False Claims Act is an important part
More informationHospital Council of Western Pennsylvania. June 21, 2012
Updates on OCR s HIPAA Enforcement and Regulations Hospital Council of Western Pennsylvania June 21, 2012 Topics HIPAA Privacy and Security Rule Enforcement HITECH Breach Notification OCR Audit Program
More informationCore Elements of HIPAA The Privacy Rule establishes individuals privacy rights and addresses the use and disclosure of protected health information ( PHI ) by covered entities and business associates The
More informationHIPAA Security. 1 Security 101 for Covered Entities. Security Topics
HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical
More informationHIPAA Compliance & Privacy What You Need to Know Now
HIPAA Email Compliance & Privacy What You Need to Know Now Introduction The Health Insurance Portability and Accountability Act of 1996 (HIPAA) places a number of requirements on the healthcare industry
More informationHIPAA Privacy, Security and Breach Notification
HIPAA Privacy, Security and Breach Notification HCCA East Central Regional Annual Conference October 2013 Disclaimer The information contained in this document is provided by KPMG LLP for general guidance
More informationWhat is HIPPA/PCI? Understanding HIPAA. Understanding PCI DSS
What is HIPPA/PCI? In this digital era, where every bit of information pertaining to individuals has gone digital and is stored in digital form somewhere or the other, there is a need protect the individuals
More informationUpdate on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules
Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules Wandah Hardy, RN BSN, MPA Equal Opportunity Specialist/Investigator Office for Civil Rights (OCR)
More informationHIPAA Compliance and OBS Online Backup
WHITE PAPER HIPAA Compliance and OBS Online Backup Table of Contents Table of Contents 2 HIPAA Compliance and the Office Backup Solutions 3 Introduction 3 More about the HIPAA Security Rule 3 HIPAA Security
More informationDepartment of Public Health O F S A N F R A N C I S C O
PAGE 1 of 9 Category: Information Technology Security and HIPAA DPH Unit of Origin: Department of Public Health Policy Owner: Phillip McDown, CISSP Phone: 255-3577 CISSPCISSP/C Distribution: DPH-wide Other:
More informationDon t Be the Next Headline! PHI and Cyber Security in Outsourced Services.
Don t Be the Next Headline! PHI and Cyber Security in Outsourced Services. June 2017 Melanie Duerr Fazzi Associates Partner, Director of Coding Operations Jami Fisher Fazzi Associates Chief Information
More informationHIPAA For Assisted Living WALA iii
Table of Contents The Wisconsin Assisted Living Association... ix Mission... ix Vision... ix Values... ix Acknowledgments... ix Who Should Use This Manual... x How to Use This Manual... x Updates and Forms...
More informationHIPAA Faux Pas. Lauren Gluck Physician s Computer Company User s Conference 2016
HIPAA Faux Pas Lauren Gluck Physician s Computer Company User s Conference 2016 Goals of this course Overview of HIPAA and Protected Health Information Define HIPAA s Minimum Necessary Rule Properly de-identifying
More informationDecrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use
Click to edit Master title style Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use Andy Petrovich, MHSA, MPH M-CEITA / Altarum Institute June 21, 2016 6/21/2016 1 1 Disclaimer
More informationA HIPAA Compliance and Enforcement Update from the HHS Office for Civil Rights Session #24, 10:00 a.m. 11:00 a.m. March 6, 2018 Roger Severino, MSPP,
A HIPAA Compliance and Enforcement Update from the HHS Office for Civil Rights Session #24, 10:00 a.m. 11:00 a.m. March 6, 2018 Roger Severino, MSPP, JD Director, HHS Office for Civil Rights Nicholas Heesters,
More informationHIPAA AND SECURITY. For Healthcare Organizations
HIPAA AND EMAIL SECURITY For Healthcare Organizations Table of content Protecting patient information 03 Who is affected by HIPAA? 06 Why should healthcare 07 providers care? Email security & HIPPA 08
More informationCYBERSECURITY IN THE POST ACUTE ARENA AGENDA
CYBERSECURITY IN THE POST ACUTE ARENA AGENDA 2 Introductions 3 Assessing Your Organization 4 Prioritizing Your Review 5 206 Benchmarks and Breaches 6 Compliance 0 & Cybersecurity 0 7 Common Threats & Vulnerabilities
More informationHIPAA COMPLIANCE AND
INTRONIS MSP SOLUTIONS BY BARRACUDA HIPAA COMPLIANCE AND DATA PROTECTION CONTENTS Introduction... 3 The HIPAA Security Rule... 4 The HIPAA Omnibus Rule... 6 HIPAA Compliance and Intronis Cloud Backup and
More informationInformation Security Policy
April 2016 Table of Contents PURPOSE AND SCOPE 5 I. CONFIDENTIAL INFORMATION 5 II. SCOPE 6 ORGANIZATION OF INFORMATION SECURITY 6 I. RESPONSIBILITY FOR INFORMATION SECURITY 6 II. COMMUNICATIONS REGARDING
More informationHIPAA Privacy and Security Training Program
Note The following HIPAA training is intended for Vendors, Business Associates, Students, Pre Approved Shadowers, and Visitors. The following training module does not provide credit for annual training
More informationRemote Access to a Healthcare Facility and the IT professional s obligations under HIPAA and the HITECH Act
Remote Access to a Healthcare Facility and the IT professional s obligations under HIPAA and the HITECH Act Are your authentication, access, and audit paradigms up to date? Table of Contents Synopsis...1
More informationDATA PRIVACY & SECURITY THE CHANGING HIPAA CLIMATE
DATA PRIVACY & SECURITY THE CHANGING HIPAA CLIMATE Melodi (Mel) M. Gates mgates@pattonboggs.com (303) 894-6111 October 25, 2013 THE CHANGING PRIVACY CLIMATE z HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY
More informationDeveloping Issues in Breach Notification and Privacy Regulations: Risk Managers Are you having the right conversation with the C Suite?
Developing Issues in Breach Notification and Privacy Regulations: Risk Managers Are you having the right conversation with the C Suite? Minnesota RIMS 39 th Annual Seminar Risk 2011-2012: Can You Hack
More informationHIPAA & Privacy Compliance Update
HIPAA & Privacy Compliance Update Vermont Medical Society FREE Wednesday Webinar Series March 15, 2017 Anne Cramer and Shireen Hart Primmer Piper Eggleston & Cramer PC acramer@primmer.com shart@primmer.com
More informationNMHC HIPAA Security Training Version
NMHC HIPAA Security Training 2017 Version HIPAA Data Security HIPAA Data Security is intended to provide the technical controls to ensure electronic Protected Health Information (PHI) is kept secure and
More informationHIPAA Audit Don t just bet the odds Good luck is a residue of preparation. Jack Youngblood
HIPAA Audit Don t just bet the odds Good luck is a residue of preparation. Jack Youngblood Braun Tacon Process Architect / Auditor Owner: www.majorincidenthandling.com Winning Lotto.1 in 175 Million Attacked
More informationThese rules are subject to change periodically, so it s good to check back once in a while to make sure you re still compliant.
HIPAA Checklist There are 3 main parts to the HIPAA Security Rule. They include technical safeguards, physical safeguards, and administrative safeguards. This document strives to summarize the requirements
More informationHIPAA Security Manual
2010 HIPAA Security Manual Revised with HITECH ACT Amendments Authored by J. Kevin West, Esq. 2010 HALL, FARLEY, OBERRECHT & BLANTON, P.A. DISCLAIMER This Manual is designed to set forth general policies
More informationHIPAA/HITECH Act Update HCCA South Central Regional Annual Conference December 2, Looking Back at 2011
HIPAA/HITECH Act Update HCCA South Central Regional Annual Conference December 2, 2012 Phyllis F. Granade The Granade Law Firm Atlanta, GA (678) 705 2507 pgranade@granadelaw.com www.granadelaw.com Looking
More informationA Checklist for Compliance in the Cloud 1. A Checklist for Compliance in the Cloud
A Checklist for Compliance in the Cloud 1 A Checklist for Compliance in the Cloud A Checklist for Compliance in the Cloud 1 With the industrialization of hacking and the enormous impact of security breaches,
More informationTechnology Workshop HIPAA Security Risk Assessment: What s Next? January 9, 2014
Technology Workshop HIPAA Security Risk Assessment: What s Next? January 9, 2014 Welcome! Thank you for joining us today. In today s call we ll cover the Security Assessment and next steps. If you want
More informationBoerner Consulting, LLC Reinhart Boerner Van Deuren s.c.
Catherine M. Boerner, Boerner Consulting LLC Heather Fields, 1 Discuss any aggregate results of the desk audits Explore the Sample(s) Requested and Inquire of Management requests for the full on-site audits
More informationHIPAA. Developed by The University of Texas at Dallas Callier Center for Communication Disorders
HIPAA Developed by The University of Texas at Dallas Callier Center for Communication Disorders Purpose of this training Everyone with access to Protected Health Information (PHI) must comply with HIPAA
More informationSecurity Lessons Learned from HIPAA Enforcement
Security Lessons Learned from HIPAA Enforcement Presentation to HealthSec 12 August 7, 2012 Adam H. Greene, J.D., M.P.H. Partner, Davis Wright Tremaine Enforcement of the Security Rule HIPAA Security Rule
More informationSupport for the HIPAA Security Rule
white paper Support for the HIPAA Security Rule PowerScribe 360 Reporting v1.1 healthcare 2 Summary This white paper is intended to assist Nuance customers who are evaluating the security aspects of PowerScribe
More informationHIPAA Security Rule Policy Map
Rule Policy Map Document Information Identifier Status Published Published 02/15/2008 Last Reviewed 02/15/1008 Last Updated 02/15/2008 Version 1.0 Revision History Version Published Author Description
More informationThe Apple Store, Coombe Lodge, Blagdon BS40 7RG,
1 The General Data Protection Regulation ( GDPR ) is the new legal framework that will come into effect on the 25th of May 2018 in the European Union ( EU ) and will be directly applicable in all EU Member
More informationSample Security Risk Analysis ASP Meaningful Use Core Set Measure 15
Sample Security Risk Analysis ASP Meaningful Use Core Set Measure 15 Risk Analysis with EHR Questions Example Answers/Help: Status What new electronic health information has been introduced into my practice
More informationDavid C. Marshall, Esq. PACAH 2017 Spring Conference April 27, 2017
David C. Marshall, Esq. PACAH 2017 Spring Conference April 27, 2017 Privacy and security of patient information held by health care providers remains a concern of the federal government. More resources
More informationCyber Risks in the Boardroom Conference
Cyber Risks in the Boardroom Conference Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing Your Company to Identify, Mitigate and Respond to Risks
More informationIncident Response: Are You Ready?
Incident Response: Are You Ready? Chris Apgar, CISSP Apgar & Associates, LLC 2014 Security Incident vs. Breach Overview Security Incident Planning and Your Team Final Breach Notification Rule a refresher
More information(c) Apgar & Associates, LLC
Incident Response: Are You Ready? Chris Apgar, CISSP Apgar & Associates, LLC 2014 Security Incident vs. Breach Overview Security Incident Planning and Your Team Final Breach Notification Rule a refresher
More informationU.S. Department of Health and Human Services (HHS) The Office of the National Coordinator for Health Information Technology (ONC)
U.S. Department of Health and Human Services (HHS) The Office of the National Coordinator for Health Information Technology (ONC) Security Risk Assessment Tool Physical Safeguards Content Version Date:
More informationInformation Privacy and Security Training 2016 for Instructors and Students. Authored by: Office of HIPAA Administration
Information Privacy and Security Training 2016 for Instructors and Students Authored by: Office of HIPAA Administration Objectives After you finish this Computer-Based Learning (CBL) module, you should
More informationHIPAA 101: What All Doctors NEED To Know
HIPAA 101: What All Doctors NEED To Know 1 HIPAA Basics HIPAA: Health Insurance and Portability Accountability Act of 1996 Purpose: to protect confidential information through improved security and privacy
More information3/24/2014. Agenda & Objectives. HIPAA Security Rule. Compliance Institute. Background and Regulatory Overlay. OCR Statistics/
Compliance Institute Session 501: Implementing a System-Wide Access Monitoring Program Brian D. Annulis Meade, Roach & Annulis, LLP Aegis Compliance & Ethics Center, LLP 4147 N. Ravenswood Avenue Suite
More informationSecurity and Privacy-Aware Cyber-Physical Systems: Legal Considerations. Christopher S. Yoo University of Pennsylvania July 12, 2018
Security and Privacy-Aware Cyber-Physical Systems: Legal Considerations Christopher S. Yoo University of Pennsylvania July 12, 2018 Overview of Research Tort and products liability for CPS Privacy and
More informationCompliance A primer. Surveys indicate that 80% of the spend on IT security technology is driven by the need to comply with regulatory legislation.
Compliance A primer Surveys indicate that 80% of the spend on IT security technology is driven by the need to comply with regulatory legislation. The growth in the sharing of sensitive data combined with
More informationImplementing an Audit Program for HIPAA Compliance
Implementing an Audit Program for HIPAA Compliance Mike Lynch Fifth National HIPAA Summit November 1, 2002 Seven Guiding Principles of HIPAA Rules Quality and Availability of Care Nothing in the proposed
More informationElements of a Swift (and Effective) Response to a HIPAA Security Breach
Elements of a Swift (and Effective) Response to a HIPAA Security Breach Susan E. Ziel, RN BSN MPH JD Krieg DeVault LLP Past President, The American Association of Nurse Attorneys Disclaimer The information
More informationENCRYPTION: ADDRESSABLE OR A DE FACTO REQUIREMENT?
ENCRYPTION: ADDRESSABLE OR A DE FACTO REQUIREMENT? Jonathan Carroll, MBA, CISSP AVP Enterprise IT Operations Information Security Officer University of Connecticut Why Are We Talking About This? Data breaches
More informationLessons Learned from Recent HIPAA Enforcement Actions, Breaches, and Pilot Audits
Lessons Learned from Recent HIPAA Enforcement Actions, Breaches, and Pilot Audits Iliana L. Peters, J.D., LL.M. Senior Advisor for HIPAA Compliance and Enforcement OCR RULEMAKING UPDATE What s s Done?
More informationHELPFUL TIPS: MOBILE DEVICE SECURITY
HELPFUL TIPS: MOBILE DEVICE SECURITY Privacy tips for Public Bodies/Trustees using mobile devices This document is intended to provide general advice to organizations on how to protect personal information
More informationCOUNTERING CYBER CHAOS WITH HIPAA COMPLIANCE. Presented by Paul R. Hales, J.D. May 8, 2017
COUNTERING CYBER CHAOS WITH HIPAA COMPLIANCE Presented by Paul R. Hales, J.D. May 8, 2017 1 HIPAA Rules Combat Cyber Crime HIPAA Rules A Blueprint to Combat Cyber Crime 2 HIPAA Rules Combat Cyber Crime
More information