Audits Accounting of disclosures
|
|
- Rolf Sims
- 6 years ago
- Views:
Transcription
1 Once more unto the breach Mastering HIPAA s data breach notification requirements September 20, 2011 Presented by: Kathy Kenady Senior Loss Prevention Representative Medical Insurance Exchange of California Agenda Risk assessment Reporting a breach Lessons learned Audits Accounting of disclosures 1
2 Terms PHI = Protected Health Information CE = Covered entity HIPAA Privacy Rule HIPAA Security Rule HITECH Act HITECH data breach notification HIPAA formerly complaint-driven Patients often unaware of violations Now CEs must report breaches of confidentiality to OCR, patients, and sometimes media Audits 2
3 Data breach Unauthorized disclosure of, or access to, unsecured PHI Unauthorized refers to the HIPAA rules; specific patient authorization not always required Unsecured PHI PHI which has not been rendered unusable, unreadable, or indecipherable to unauthorized individuals. Can be in any medium Paper Electronic 3
4 Secured PHI Must be encrypted and/or destroyed in accordance with federal guidelines g National Institute of Standards and Technology (NIST) Note: encryption still not mandated dtdb by HIPAA Encryption standards Data at rest: NIST Special Publication , Guide to Storage Encryption Technologies for End User Devices. Data in motion: NIST Special Publications , Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations; , Guide to IPsec VPNs; or , Guide to SSL VPNs, or others which are Federal Information Processing Standards (FIPS) validated. 4
5 Destruction standards NIST Special Publication , Guidelines for Media Sanitation, Breach examples: Stolen (unencrypted) laptop Network server hacked Patient EOB mailed to wrong addresses 5
6 Ignorance is not bliss Physicians will be held accountable for breaches that, through the exercise of reasonable diligence, should have been known to them. Implement systems to detect breaches Train staff to notify Privacy/Security officer immediately upon knowledge or suspicion of a breach Returned mail Files or electronic devices lost or stolen Work with IT and software vendors Unauthorized access to network Possibly audit staff access to EMR 6
7 Breach identified: Now what? Conduct a risk assessment Harm threshold! Include any business associates involved in the breach Document the details of your risk assessment Risk Assessment Would an unauthorized person reasonably be able to access or retain the PHI? Is PHI unsecured? Was it immediately retrieved? Is there evidence that the information wasn t accessed? Electronic forensic Unopened paper 7
8 Risk assessment In whose hands did the PHI land? Exemptions: Unintentional access by a workforce member Inadvertent disclosure to a workforce member acting in good faith within the scope of his or her duties In either case: PHI must not be further used or disclosed improperly Risk assessment Can the information breached cause significant risk of financial, reputational, or other harm? There may be less risk of harm if PHI was disclosed to another entity governed by the HIPAA Privacy and Security Rules or to a Federal agency recipient entity is obligated to protect the information Immediately destroy or mail back Fact- and case-specific Famous person? Known to each other? 8
9 If there was a breach: Determine the number of affected individuals Proceed with notification Method of notification Victims of breaches must be notified without unreasonable delay and no later than 60 calendar days after discovery of the breach A breach is considered discovered on the first day a covered entity knows or should have known about it < 500 individuals (patients): Annual notice to HHS individuals: HHS and media outlets must be notified without unreasonable delay 9
10 Method of notification Notify affected individuals (or next of kin if deceased) Written notification by 1 st class mail or if patient prefers Follow-up mailings, if necessary, as more information becomes available Contents of notice Brief description of what happened Date of breach and date breach discovered The type of information disclosed Full name, social security #, date of birth, home address, account number, disability code, etc. Steps the patient should take to protect him or herself Notify credit card company What you are doing to investigate & mitigate Pay for identity theft protection service or credit monitoring service Contacts for questions or additional information 10
11 Insufficient contact information? < 10 patients: alternative written notice, telephone, or other means 10+ patients: Conspicuous posting on home page of your web site for at least 90 days, or Conspicuous posting in major print or broadcast media likely to be seen by patients A toll-free number must be provided for at least 90 days where individuals can learn whether their information was breached Law enforcement exception Law enforcement official may request delay in writing if notification would impede a criminal investigation or cause damage to national security If law enforcement makes request orally, document the request, including the name of the official, i and delay notification i no longer than 30 days unless the official submits a request in writing specifying a longer delay 11
12 Data breaches reported to HHS 330 breaches reported as of Sept (500 or more individuals affected) Recent congress report: 30,000 smaller breaches from Sept to Dec >72,000 people Cause of breaches Theft/Loss Improper disposal Unauthorized access/disclosure Hacking 12
13 Reported breaches in order of prevalence 69 laptops 58 paper 21 unauthorized access/disclosure 18 theft 14 improper disposal 5 loss 42 desktop computer (theft, hacking) 39 portable electronic device (external hard drive, USB, etc.) Reported breaches in order of prevalence 29 network server 15 Other 7 3 EMR 3 Hard drive 3 mailings 2 back up tapes 1 CDs 13
14 Cloud computing NIST publication , Cloud Computing Synopsis and Recommendations OCR case descriptions A binder and clipboard were missing from a file room 4,083 individuals PHI Names, SSN, DOB Remediation CE transferred all logs to electronic database Electronic database accessible by authorized workforce members only Improved physical safeguards and retraining employees 14
15 OCR case descriptions A BA employee sent an to multiple patients w/o concealing pt addresses 937 individuals Dietary program Remediation BA counseled employee & retrained all employees OCR case descriptions File server at the Office of Health Services was compromised and impermissibly accessed 27,000 individuals PHI names, addresses, dx codes, name of meds Rx d, medication costs and SSNs Remediation Server removed from network Individuals and media notified Operating system replaced Additional i technical safeguards implemented 15
16 OCR case descriptions A nurse used the PHI of patients to obtain narcotics for her personal use 600 individuals affected PHI Names and account numbers Remediation Nurse terminated Monthly audit of Schedule II narcotics by each patient care dep t, matching med dispense log to the order and bill OCR case descriptions A shared desktop computer was stolen from the reception desk area, behind a locked desk area, probably while a cleaning crew had left the main door to the building open and the door to the suite unlocked 857 individuals Names, DOB, clinical info Remediation Individuals & media notified Technical safeguard: encryption Administrative safeguard: training of staff and cleaning crew 16
17 OCR case descriptions Employee left external hard drive in a vehicle that was stolen 15,500 individuals PHI Names, med record #s, care and treatment, DOB, age, gender, phone numbers Remediation Employee terminated for violating policies Deployment of a removable media encryption software tool OCR case descriptions Employee s laptop stolen out of her bag while she was making an admission visit in a patient s home CE had policy of encrypting computers, but employee changed security settings 1,000 individuals id PHI Names, addresses, DOB, phone #s, SSN, Medicare #s, electronic health records, commercial insurance info Remediation Notified patients and media, web site Sanctioned employee Established stringent computer security guidelines and trained staff 17
18 OCR case descriptions An imposter, posing as a representative of the recycling service used by the CE, removed several barrels of purged x- ray films and jackets individuals Remediation Patients notified and offered credit monitoring Root cause investigation Employees retrained on verification of identity P&Ps OCR case descriptions BA prepared a request-for-proposal which mistakenly included PHI. Posted online for 5 days. 22,642 individuals PHI SSN, DOB, gender, zip codes, enrollment info Remediation CE now requires several layers of review before allowing public disclosure of documents prepared by the BA BA provided patients with credit monitoring, fraud resolution resources, and identity theft insurance BA provided CE with assurances that it has taken steps to prevent this type of disclosure in future 18
19 Recently in the news...stanford 20,000 emergency room patients Names & diagnosis codes Online publicly for nearly one year Student of Fortune Data breaches reported to MIEC Stolen laptops Paper records in storage facility 19
20 Solutions: Don t allow any unsecured PHI to leave the office Ensure physical and technical safeguards of information in the office Full disk encryption cheap and easy laptops, desktops, servers, USBs and external hard drives. PDAs and smartphones Very difficult to ensure security At a minimum: Password protection iphone 4 allows you to disable simple passcode of four digits and re-enter a stronger passcode with more digits/characters Auto Erase feature erases data on the phone after ten failed attempts at the passcode Remote wipe capability VPN (Virtual Private Network) California law Physicians must notify patients of breaches of unencrypted computerized personal information. Social security number Drivers license or CA ID number Account number, credit or debit card number, in combination with any required security, access code or password that would permit access to an individual s financial account Medical information regarding medical history, mental or physical condition, or medical treatment or diagnosis Health insurance information 20
21 California law A good faith acquisition of personal information by an employee or agent of the physician is not considered a breach so long as the information is not used or subject to further unauthorized disclosures Notification ASAP and without unreasonable delay California law Notification made by written or electronic notice If cost of direct notice >$250,000, or if more than 500,000 people must be notified, or if the business doesn t have sufficient contact information: notice to every person for whom you have an address, and Conspicuous posting on web site; and Notify major statewide media 21
22 California Institutional Provider Law Licensed clinics, health facilities, home health agencies, and hospices Individually identifiable information in electronic or physical form Notify CDPH and patient(s) no later than 5 business days after breach detected 2010 Study: U.S. Cost of data breach Average cost: $214 per record Lost business, ex-post response, notification, detection & escalation In healthcare, customer turnover is main cost Avg. cost: $258 per record if on lost or stolen laptop or other mobile data-bearing device Forensics difficult and costly. 22
23 2010 Study: U.S. cost of data breach Malicious or criminal attacks are the most expensive cause of data breaches Negligence remains most common threat at 41% Penalties and enforcement HHS authorized to investigate complaints of suspected noncompliance Tiered civil monetary penalties based on the amount of neglect and intent from $ to $1.5 million per violation (with caps) Compliance audits State attorney generals empowered to enforce some HIPAA elements 23
24 Compliance audits Risk-based (size, type of entity) Not complaint- or breach-driven 150 CEs by end of 2012 Entities will be given advance notice Aggregate findings released for education Compliance audits: key concerns Incident detection and response Review of log access Secure wireless network Management of user access and passwords Theft or loss of mobile devices Up-to-date software Role-based access 24
25 Incident detection and response CEs and BAs: are you reasonably logging and reviewing system activities in a way that is likely to detect breaches? Staff trained to spot a breach and report it to the appropriate person? Review of log access Not expected to review every instance of access Targeted approach Patterns of unusually large access by an employee High-risk areas such as records of VIPs 25
26 Secure wireless network Encryption turned on Administrative access to configure the wireless access is password protected Management of user access and passwords Prohibit sharing of user IDs Configure systems to require strong passwords Access to administrative accounts closely controlled 26
27 Theft or loss of mobile devices Policies & training on safeguarding Encryption Store PHI centrally rather than on the device itself Up-to-date software Ensure that patches that address vulnerabilities are pushed out to workstations regularly Consider upgrading software or operating system if version is no longer supported by the vendor Keep anti-malware software up-to-date 27
28 Role-based access Balance security risks with patient safety Closely monitored break-the-glass glass solution Business Associates (BA) BA: those who access PHI as they are performing services on behalf of a physician Accountant Collections Transcriptionist IT service providers Copy services, etc. Physician s responsibility to conduct risk assessment and disclose breaches, even if fault of BA acting on physician s behalf 28
29 BA agreements Update to incorporate data-breach notification requirements: the time frame, method and content of the notification. Patient control of PHI EHR: patients have the right to obtain a copy of their record in electronic format Requests to withhold PHI from health plans for health care operations or payment purposes must be granted if: The patient pays you in full, out-of-pocket Genetic testing, etc. 29
30 EMR: Accounting of disclosures Produce upon patient request an accounting of all disclosures within the past three years: TPO Patient signed authorization Internal access Disclosures by BAs on behalf of CE Or list of all BAs and contact information Should be in BA agreement that they must produce accounting of disclosures EMR: Accounting of disclosures Effective as of Jan if: The CE obtained EMR after Jan 2009 The CE obtained EMR after Jan Effective as of Jan if: The CE obtained EMR before Jan
31 To do: Incorporate HITECH provisions into existing privacy and security policies and procedures Identifying breaches Update BA agreements Update NPP to include breach policies, patient control of & access to information Accounting of disclosures (EHR) Re-evaluate existing data security in light of new provisions How and where is unsecured PHI used and stored? Can it be encrypted? Vet and evaluate the security of BAs before sharing information. Pick vendors that can guarantee data protection through encryption, including employees mobile devices Train staff accordingly Establish sanctions for violations Questions? 31
Federal Breach Notification Decision Tree and Tools
Federal Breach Notification and Tools Disclaimer This document is copyright 2009 by the Long Term Care Consortium (LTCC). These materials may be reproduced and used only by long-term health care providers
More informationHIPAA-HITECH: Privacy & Security Updates for 2015
South Atlantic Regional Annual Conference Orlando, FL February 6, 2015 1 HIPAA-HITECH: Privacy & Security Updates for 2015 Darrell W. Contreras, Esq., LHRM Gregory V. Kerr, CHPC, CHC Agenda 2 OCR On-Site
More informationElements of a Swift (and Effective) Response to a HIPAA Security Breach
Elements of a Swift (and Effective) Response to a HIPAA Security Breach Susan E. Ziel, RN BSN MPH JD Krieg DeVault LLP Past President, The American Association of Nurse Attorneys Disclaimer The information
More informationUniversity of Wisconsin-Madison Policy and Procedure
Page 1 of 10 I. Policy The Health Information Technology for Economic and Clinical Health Act regulations ( HITECH ) amended the Health Information Portability and Accountability Act ( HIPAA ) to establish
More informationHIPAA & Privacy Compliance Update
HIPAA & Privacy Compliance Update Vermont Medical Society FREE Wednesday Webinar Series March 15, 2017 Anne Cramer and Shireen Hart Primmer Piper Eggleston & Cramer PC acramer@primmer.com shart@primmer.com
More informationUpdate on HIPAA Administration and Enforcement. Marissa Gordon-Nguyen, JD, MPH October 7, 2016
Update on HIPAA Administration and Enforcement Marissa Gordon-Nguyen, JD, MPH October 7, 2016 Updates Policy Development Breaches Enforcement Audit 2 POLICY DEVELOPMENT RECENTLY PUBLISHED: RIGHT OF ACCESS,
More informationHIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017
HIPAA How to Comply with Limited Time & Resources Jonathan Pantenburg, MHA, Senior Consultant JPantenburg@Stroudwater.com August 17, 2017 Stroudwater Associates is a leading national healthcare consulting
More informationInside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D.
Inside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D. HIPAA GENERAL RULE PHI may not be disclosed without patient authorization
More informationHIPAA in 2017: Hot Topics You Can t Ignore. Danika Brinda, PhD, RHIA, CHPS, HCISPP March 16, 2017
HIPAA in 2017: Hot Topics You Can t Ignore Danika Brinda, PhD, RHIA, CHPS, HCISPP March 16, 2017 Breach Notification State Law Privacy Rule Authorizations Polices and Procedures The Truth Is Have created
More informationHIPAA and HIPAA Compliance with PHI/PII in Research
HIPAA and HIPAA Compliance with PHI/PII in Research HIPAA Compliance Federal Regulations-Enforced by Office of Civil Rights State Regulations-Texas Administrative Codes Institutional Policies-UTHSA HOPs/IRB
More informationInto the Breach: Breach Notification Requirements in the Wake of the HIPAA Omnibus Rule
Into the Breach: Breach Notification Requirements in the Wake of the HIPAA Omnibus Rule The Twenty-Second National HIPAA Summit Healthcare Privacy and Security After HITECH and Health Reform Rebecca Williams,
More informationQUALITY HIPAA December 23, 2013
December 23, 2013 Page 1 of 5 Breach, HIPAA and Protected Health Information This week, we look at the rules governing HIPAA, the HITECH Act and HIPAA Omnibus Rule. Unsecured PHI means Protected Health
More informationSecurity and Privacy Breach Notification
Security and Privacy Breach Notification Version Approval Date Owner 1.1 May 17, 2017 Privacy Officer 1. Purpose To ensure that the HealthShare Exchange of Southeastern Pennsylvania, Inc. (HSX) maintains
More informationBreach Notification Remember State Law
Breach Notification HITECH: First federal law mandating breach notification for health care industry Applies to covered entities, business associates, PHR vendors, and PHR service providers FTC regulates
More informationHIPAA FOR BROKERS. revised 10/17
HIPAA FOR BROKERS revised 10/17 COURSE PURPOSE The purpose of this information is to help ensure that all Optima Health Brokers are prepared to protect the privacy and security of our members health information.
More informationDavid C. Marshall, Esq. PACAH 2017 Spring Conference April 27, 2017
David C. Marshall, Esq. PACAH 2017 Spring Conference April 27, 2017 Privacy and security of patient information held by health care providers remains a concern of the federal government. More resources
More informationPrivacy & Information Security Protocol: Breach Notification & Mitigation
The VUMC Privacy Office coordinates compliance with the required notification steps and prepares the necessary notification and reporting documents. The business unit from which the breach occurred covers
More informationPutting It All Together:
Putting It All Together: The Interplay of Privacy & Security Regina Verde, MS, MBA, CHC Chief Corporate Compliance & Privacy Officer University of Virginia Health System 2017 ISPRO Conference October 24,
More informationHIPAA Privacy & Security Training. Privacy and Security of Protected Health Information
HIPAA Privacy & Security Training Privacy and Security of Protected Health Information Course Competencies: This training module addresses the essential elements of maintaining the HIPAA Privacy and Security
More informationA Panel Discussion. Nancy Davis
A Panel Discussion 1 Nancy Davis Director of Compliance & Safety, Door County Medical Center Cathy Hansen Director, Health Information Services & Privacy Officer, St. Croix Regional Medical Center Rhonda
More informationEmployee Security Awareness Training Program
Employee Security Awareness Training Program Date: September 15, 2015 Version: 2015 1. Scope This Employee Security Awareness Training Program is designed to educate any InComm employee, independent contractor,
More informationWhat s New with HIPAA? Policy and Enforcement Update
What s New with HIPAA? Policy and Enforcement Update HHS Office for Civil Rights New Initiatives Precision Medicine Initiative (PMI), including Access Guidance Cybersecurity Developer portal NICS Final
More informationEnforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance
Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance Iliana Peters, JD, LLM, HHS Office for Civil Rights Kevin
More informationHIPAA Security Manual
2010 HIPAA Security Manual Revised with HITECH ACT Amendments Authored by J. Kevin West, Esq. 2010 HALL, FARLEY, OBERRECHT & BLANTON, P.A. DISCLAIMER This Manual is designed to set forth general policies
More informationDATA PRIVACY & SECURITY THE CHANGING HIPAA CLIMATE
DATA PRIVACY & SECURITY THE CHANGING HIPAA CLIMATE Melodi (Mel) M. Gates mgates@pattonboggs.com (303) 894-6111 October 25, 2013 THE CHANGING PRIVACY CLIMATE z HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY
More informationThe HIPAA Omnibus Rule
The HIPAA Omnibus Rule What You Should Know and Do as Enforcement Begins Rebecca Fayed, Associate General Counsel and Privacy Officer Eric Banks, Information Security Officer 3 Biographies Rebecca C. Fayed
More informationCyber Attacks and Data Breaches: A Legal and Business Survival Guide
Cyber Attacks and Data Breaches: A Legal and Business Survival Guide August 21, 2012 Max Bodoin, Vince Farhat, Shannon Salimone Copyright 2012 Holland & Knight LLP. All Rights Reserved What this Program
More informationSample BYOD Policy. Copyright 2015, PWW Media, Inc. All Rights Reserved. Duplication, Reproduction or Distribution by Any Means Prohibited.
Sample BYOD Policy Copyright 2015, PWW Media, Inc. All Rights Reserved. Duplication, Reproduction or Distribution by Any Means Prohibited. SAMPLE BRING YOUR OWN DEVICE POLICY TERMS OF USE This Sample Bring
More informationRed Flags/Identity Theft Prevention Policy: Purpose
Red Flags/Identity Theft Prevention Policy: 200.3 Purpose Employees and students depend on Morehouse College ( Morehouse ) to properly protect their personal non-public information, which is gathered and
More informationLesson Three: False Claims Act and Health Insurance Portability and Accountability Act (HIPAA)
Lesson Three: False Claims Act and Health Insurance Portability and Accountability Act (HIPAA) Introduction: Welcome to Honesty and Confidentiality Lesson Three: The False Claims Act is an important part
More informationHow to Respond to a HIPAA Breach. Tuesday, Oct. 25, 2016
How to Respond to a HIPAA Breach Tuesday, Oct. 25, 2016 This Webinar is Brought to You By. About HealthInsight and Mountain-Pacific Quality Health HealthInsight and Mountain-Pacific Quality Health are
More informationWHITE PAPER. HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty
WHITE PAPER HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty WHITE PAPER HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty By Jill Brooks, MD, CHCO and Katelyn Byrne, BSN, RN Data Breaches
More informationHIPAA For Assisted Living WALA iii
Table of Contents The Wisconsin Assisted Living Association... ix Mission... ix Vision... ix Values... ix Acknowledgments... ix Who Should Use This Manual... x How to Use This Manual... x Updates and Forms...
More informationDON T GET STUNG BY A BREACH! WHAT'S NEW IN HIPAA PRIVACY AND SECURITY
DON T GET STUNG BY A BREACH! WHAT'S NEW IN HIPAA PRIVACY AND SECURITY Practice Areas: Healthcare Labor and Employment JASON YUNGTUM jyungtum@clinewilliams.com (402) 397 1700 Practice Areas: Healthcare
More informationby Robert Hudock and Patricia Wagner April 2009 Introduction
HITECH Updates: Proposed Health Breach Notification Rule Promulgated by the FTC; HHS Releases Guidance on How to Render PHI Unusable, Unreadable, or Indecipherable by Robert Hudock and Patricia Wagner
More informationIncident Response: Are You Ready?
Incident Response: Are You Ready? Chris Apgar, CISSP Apgar & Associates, LLC 2014 Security Incident vs. Breach Overview Security Incident Planning and Your Team Final Breach Notification Rule a refresher
More information(c) Apgar & Associates, LLC
Incident Response: Are You Ready? Chris Apgar, CISSP Apgar & Associates, LLC 2014 Security Incident vs. Breach Overview Security Incident Planning and Your Team Final Breach Notification Rule a refresher
More informationPrivacy Breach Policy
1. PURPOSE 1.1 The purpose of this policy is to guide NB-IRDT employees and approved users on how to proceed in the event of a privacy breach, and to demonstrate to stakeholders that a systematic procedure
More information3/24/2014. Agenda & Objectives. HIPAA Security Rule. Compliance Institute. Background and Regulatory Overlay. OCR Statistics/
Compliance Institute Session 501: Implementing a System-Wide Access Monitoring Program Brian D. Annulis Meade, Roach & Annulis, LLP Aegis Compliance & Ethics Center, LLP 4147 N. Ravenswood Avenue Suite
More informationPolicy and Procedure: SDM Guidance for HIPAA Business Associates
Policy and Procedure: SDM Guidance for HIPAA Business (Adapted from UPMC s Guidance for Business at http://www.upmc.com/aboutupmc/supplychainmanagement/documents/guidanceforbusinessassociates.pdf) Effective:
More informationRegulation P & GLBA Training
Regulation P & GLBA Training Overview Regulation P governs the treatment of nonpublic personal information about consumers by the financial institution. (Gramm-Leach-Bliley Act of 1999) The GLBA is composed
More informationHIPAA Compliance Officer Training By HITECH Compliance Associates. Building a Culture of Compliance
HIPAA Compliance Officer Training By HITECH Compliance Associates Building a Culture of Compliance Your Instructor Is Michael McCoy Nationally Recognized HIPAA Expert » Nothing contained herein should
More informationHIPAA Audit Don t just bet the odds Good luck is a residue of preparation. Jack Youngblood
HIPAA Audit Don t just bet the odds Good luck is a residue of preparation. Jack Youngblood Braun Tacon Process Architect / Auditor Owner: www.majorincidenthandling.com Winning Lotto.1 in 175 Million Attacked
More informationDon t Be the Next Headline! PHI and Cyber Security in Outsourced Services.
Don t Be the Next Headline! PHI and Cyber Security in Outsourced Services. June 2017 Melanie Duerr Fazzi Associates Partner, Director of Coding Operations Jami Fisher Fazzi Associates Chief Information
More informationHIPAA Faux Pas. Lauren Gluck Physician s Computer Company User s Conference 2016
HIPAA Faux Pas Lauren Gluck Physician s Computer Company User s Conference 2016 Goals of this course Overview of HIPAA and Protected Health Information Define HIPAA s Minimum Necessary Rule Properly de-identifying
More informationHow Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq.
How Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq. Word Count: 2,268 Physician practices have lived with the reality of HIPAA for over twenty years. In that time, it has likely
More informationThe Relationship Between HIPAA Compliance and Business Associates
The Relationship Between HIPAA Compliance and Business Associates 1 HHS Wall of Shame 20% Involved Business Associates Based on HHS Breach Portal: Breaches Affecting 500 or More Individuals, Type of Breach
More informationMobile Device Policy. Augusta University Medical Center Policy Library. Policy Owner: Information Technology Support and Services
Augusta University Medical Center Policy Library Mobile Device Policy Policy Owner: Information Technology Support and Services POLICY STATEMENT Augusta University Medical Center (AUMC) discourages the
More informationHIPAA Privacy & Security Training. HIPAA The Health Insurance Portability and Accountability Act of 1996
HIPAA Privacy & Security Training HIPAA The Health Insurance Portability and Accountability Act of 1996 AMTA confidentiality requirements AMTA Professional Competencies 20. Documentation 20.7 Demonstrate
More informationHIPAA Federal Security Rule H I P A A
H I P A A HIPAA Federal Security Rule nsurance ortability ccountability ct of 1996 HIPAA Introduction - What is HIPAA? HIPAA = The Health Insurance Portability and Accountability Act A Federal Law Created
More informationUpdate on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules
Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules Marissa Gordon-Nguyen Office for Civil Rights (OCR) U.S. Department of Health and Human Services June
More informationPRIVACY-SECURITY INCIDENT REPORT
SECTION I GENERAL INFORMATION Name of Staff Member Reporting Incident PRIVACY-SECURITY INCIDENT REPORT Telephone Number Email Address Division/Office/Facility Unit/Section Supervisor SECTION II PRIVACY
More informationHIPAA UPDATE. Michael L. Brody, DPM
HIPAA UPDATE Michael L. Brody, DPM Objectives: How to respond to a patient s request for a copy of their records. Understand your responsibilities after you send information out to another doctor, hospital
More informationHIPAA Privacy, Security Lessons from 2016 and What's Next in 2017
HIPAA Privacy, Security Lessons from 2016 and What's Next in 2017 Session 9, February 20, 2017 Deven McGraw, Deputy Director, Health Information Privacy HHS Office for Civil Rights 1 Speaker Introduction
More informationENCRYPTION: ADDRESSABLE OR A DE FACTO REQUIREMENT?
ENCRYPTION: ADDRESSABLE OR A DE FACTO REQUIREMENT? Jonathan Carroll, MBA, CISSP AVP Enterprise IT Operations Information Security Officer University of Connecticut Why Are We Talking About This? Data breaches
More informationHIPAA/HITECH Privacy & Security Checklist Assessment HIPAA PRIVACY RULE
164.502 Develop "minimum necessary" policies for: HIPAA PRIVACY RULE 164.514 - Uses 15 Exempts disclosure for the purpose of treatment from the minimum necessary standard. Page references for - Routine
More informationHospital Council of Western Pennsylvania. June 21, 2012
Updates on OCR s HIPAA Enforcement and Regulations Hospital Council of Western Pennsylvania June 21, 2012 Topics HIPAA Privacy and Security Rule Enforcement HITECH Breach Notification OCR Audit Program
More informationHIPAA. Developed by The University of Texas at Dallas Callier Center for Communication Disorders
HIPAA Developed by The University of Texas at Dallas Callier Center for Communication Disorders Purpose of this training Everyone with access to Protected Health Information (PHI) must comply with HIPAA
More informationElectronic Communication of Personal Health Information
Electronic Communication of Personal Health Information A presentation to the Porcupine Health Unit (Timmins, Ontario) May 11 th, 2017 Nicole Minutti, Health Policy Analyst Agenda 1. Protecting Privacy
More informationHIPAA Security and Privacy Policies & Procedures
Component of HIPAA Security Policy and Procedures Templates (Updated for HITECH) Total Cost: $495 Our HIPAA Security policy and procedures template suite have 71 policies and will save you at least 400
More informationUpdate on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules
Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules Wandah Hardy, RN BSN, MPA Equal Opportunity Specialist/Investigator Office for Civil Rights (OCR)
More informationCYBERSECURITY. Recent OCR Actions & Cyber Awareness Newsletters. Claire C. Rosston
CYBERSECURITY Recent OCR Actions & Cyber Awareness Newsletters Claire C. Rosston DISCLAIMER This presentation is similar to any other legal education materials designed to provide general information on
More informationEXHIBIT A. - HIPAA Security Assessment Template -
Department/Unit: Date: Person(s) Conducting Assessment: Title: 1. Administrative Safeguards: The HIPAA Security Rule defines administrative safeguards as, administrative actions, and policies and procedures,
More informationNeil Peters-Michaud, CHAMP Cascade Asset Management ITAM Awareness Month December 2016
Breach New Heights The role of ITAM in preventing a data breach Neil Peters-Michaud, CHAMP Cascade Asset Management ITAM Awareness Month December 2016 Agenda Why Breaches Matter to the ITAM group The cost
More informationORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers
All Affiliate Research Policy Subject: HIPAA File Under: For Researchers ORA HIPAA Issuing Department: Office of Research Administration Original Policy Date Page 1 of 5 Approved by: May 9,2005 Revision
More informationHIPAA Tips and Advice for Your. Medical Practice
HIPAA Tips and Advice for Your Ericka L. Adler Medical Practice Rachel V. Rose WHY Header HIPAA PATIENT and Medical PORTALS? Practices HIPAA Basics Who is a covered entity? What is PHI? When can you disclose
More informationUniversity of Pittsburgh Security Assessment Questionnaire (v1.7)
Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.7) Directions and Instructions for completing this assessment The answers provided
More informationDecrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use
Click to edit Master title style Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use Andy Petrovich, MHSA, MPH M-CEITA / Altarum Institute October 1, 2014 10/1/2014 1 1 Who is
More informationIdentity Theft Prevention Policy
Identity Theft Prevention Policy Purpose of the Policy To establish an Identity Theft Prevention Program (Program) designed to detect, prevent and mitigate identity theft in connection with the opening
More informationCompliance A primer. Surveys indicate that 80% of the spend on IT security technology is driven by the need to comply with regulatory legislation.
Compliance A primer Surveys indicate that 80% of the spend on IT security technology is driven by the need to comply with regulatory legislation. The growth in the sharing of sensitive data combined with
More informationHIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp
HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp Agenda Introductions HIPAA Background and History Overview of HIPAA Requirements
More informationHIPAA ( ) HIPAA 2017 Compliancy Group, LLC
855 85 HIPAA (855-854-4722) www.compliancygroup.com 1 Started in 2005 by HIPAA auditors & Compliance experts Market need for a total end client solution Created The Guard: cloud-based solution Compliance
More informationHIPAA Privacy and Security Training Program
Note The following HIPAA training is intended for Vendors, Business Associates, Students, Pre Approved Shadowers, and Visitors. The following training module does not provide credit for annual training
More informationHIPAA Privacy and Security. Rochelle Steimel, HIPAA Privacy Official Judy Smith, Staff Development January 2012
HIPAA Privacy and Security Rochelle Steimel, HIPAA Privacy Official Judy Smith, Staff Development January 2012 Goals and Objectives Course Goal: Can serve as annual HIPAA training for physician practice
More informationHIPAA & HITECH Training 2018
HIPAA & HITECH Training 2018 Welcome 2018 Compliance Training Section 1: HIPAA Privacy Section 2: HIPAA Security Section 3: HITECH Section 4: Reporting a Breach Section 5: Disciplinary Actions Section
More informationA Privacy and Cybersecurity Primer for Nonprofits Nonprofits in the Digital Age March 9, 2016
A Privacy and Cybersecurity Primer for Nonprofits Nonprofits in the Digital Age March 9, 2016 Panelists Beverly J. Jones, Esq. Senior Vice President and Chief Legal Officer ASPCA Christin S. McMeley, CIPP-US
More informationCore Elements of HIPAA The Privacy Rule establishes individuals privacy rights and addresses the use and disclosure of protected health information ( PHI ) by covered entities and business associates The
More informationBoerner Consulting, LLC Reinhart Boerner Van Deuren s.c.
Catherine M. Boerner, Boerner Consulting LLC Heather Fields, 1 Discuss any aggregate results of the desk audits Explore the Sample(s) Requested and Inquire of Management requests for the full on-site audits
More informationAgenda. Hungry, Hungry HIPAA: Security, Enforcement, Audits, & More. Health Law Institute
Health Law Institute Hungry, Hungry HIPAA: Security, Enforcement, Audits, & More Brooke Bennett Aziere October 18, 2017 Agenda Enforcement Trends Phase 2 HIPAA Audits Upcoming Initiatives 1 Enforcement
More informationData Compromise Notice Procedure Summary and Guide
Data Compromise Notice Procedure Summary and Guide Various federal and state laws require notification of the breach of security or compromise of personally identifiable data. No single federal law or
More informationCompliance & HIPAA Annual Education
Compliance & HIPAA Annual Education 1 The purpose of this education is to UPDATE The purpose and of this education REFRESH is to UPDATE your and REFRESH understanding understanding of: of: Aultman s Compliance
More informationLCU Privacy Breach Response Plan
LCU Privacy Breach Response Plan Sept 2018 Prevention Communication & Notification Evaluation of Risks Breach Containment & Preliminary Assessment Introduction The Credit Union makes every effort to safeguard
More informationChecklist: Credit Union Information Security and Privacy Policies
Checklist: Credit Union Information Security and Privacy Policies Acceptable Use Access Control and Password Management Background Check Backup and Recovery Bank Secrecy Act/Anti-Money Laundering/OFAC
More informationWhat is a Breach? 8/28/2017
Michael E. Reheuser US Department of Defense 1 What is a Breach? The loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to
More informationRevised January
Revised January 2017 1 Copyright and Trade Secret Warning All Rights Reserved. This training presentation contains confidential and proprietary trade secrets of and copyrights belonging to RadNet Management,
More informationHealthcare Privacy and Security:
Healthcare Privacy and Security: Breach prevention and mitigation/ Insuring for breach Colin J. Zick Foley Hoag LLP (617) 832-1000 www.foleyhoag.com www.securityprivacyandthelaw.com Boston Bar Association
More informationBeam Technologies Inc. Privacy Policy
Beam Technologies Inc. Privacy Policy Introduction Beam Technologies Inc., Beam Dental Insurance Services LLC, Beam Insurance Administrators LLC, Beam Perks LLC, and Beam Insurance Services LLC, (collectively,
More informationThe ABCs of HIPAA Security
The ABCs of HIPAA Security Daniel F. Shay, Esq 24 th Annual Health Law Institute Pennsylvania Bar Institute March 13, 2018 c. 2018 Alice G. Gosfield and Associates PC 1 Daniel F. Shay, Esq. Alice G. Gosfield
More informationSummary Comparison of Current Data Security and Breach Notification Bills
Topic S. 117 (Nelson) S. (Carper/Blunt) H.R. (Blackburn/Welch) Comments Data Security Standards The FTC shall promulgate regulations requiring information security practices that are appropriate to the
More informationThe HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance
The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance Russell L. Jones Partner Health Sciences Sector Deloitte & Touche LLP Security & Privacy IMLA 2013 Annual Conference San
More informationInformation Technology Standards
Information Technology Standards IT Standard Issued: 9/16/2009 Supersedes: New Standard Mobile Device Security Responsible Executive: HSC CIO Responsible Office: HSC IT Contact: For questions about this
More informationCriminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud
Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud Introduction The Criminal Justice Information Security (CJIS) Policy is a publically accessible document that contains
More informationSECURITY & PRIVACY DOCUMENTATION
Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive
More informationHIPAA AND SECURITY. For Healthcare Organizations
HIPAA AND EMAIL SECURITY For Healthcare Organizations Table of content Protecting patient information 03 Who is affected by HIPAA? 06 Why should healthcare 07 providers care? Email security & HIPPA 08
More informationHIPAA Privacy, Security and Breach Notification 2018
HIPAA Privacy, Security and Breach Notification 2018 An Eagle Associates Presentation Eagle Associates, Inc. www.eagleassociates.net info@eagleassociates.net P.O. Box 1356 Ann Arbor, MI 48106 800-777-2337
More informationCybersecurity and Hospitals: A Board Perspective
Cybersecurity and Hospitals: A Board Perspective Cybersecurity is an important issue for both the public and private sector. At a time when so many of our activities depend on information systems and technology,
More informationCyber Security Issues
RHC Summit 6/9/2017 Cyber Security Issues Dennis E. Leber CISO CHFS Why is it Important? Required by Law Good Business Strategy Right Thing to Do Why is it Important? According to Bitglass' 2017 Healthcare
More informationSecurity Rule for IT Staffs. J. T. Ash University of Hawaii System HIPAA Compliance Officer
Security Rule for IT Staffs J. T. Ash University of Hawaii System HIPAA Compliance Officer jtash@hawaii.edu hipaa@hawaii.edu Disclaimer HIPAA is a TEAM SPORT and everyone has a role in protecting protected
More informationSTATE OF NEW JERSEY. ASSEMBLY, No th LEGISLATURE. Sponsored by: Assemblywoman ANNETTE QUIJANO District 20 (Union)
ASSEMBLY, No. 0 STATE OF NEW JERSEY th LEGISLATURE INTRODUCED NOVEMBER 0, 0 Sponsored by: Assemblywoman ANNETTE QUIJANO District 0 (Union) SYNOPSIS Requires certain persons and business entities to maintain
More informationSeven gray areas of HIPAA you can t ignore
White Paper: HIPAA Gray Areas Seven gray areas of HIPAA you can t ignore This guide exists to shed some light on some of the gray areas of HIPAA (the Health Insurance Portability and Accountability Act).
More information