HIPAA Security & Privacy
|
|
- Marilyn Jackson
- 6 years ago
- Views:
Transcription
1 HIPAA Security & Privacy New Omnibus Regulations Prepared by Keith Weiner for New York State HIMSS
2 Omnibus Rule Released on January 25, 2013, the final 563 page Omnibus Rule is the largest sweeping change to HIPAA. Effective March 26, 2013 Compliance enforcement starting September 23, 2013 Strengthens privacy and security protections for health information established under the 1996 HIPAA and 2009 HITECH Acts Strengthens OCR s ability to enforce the HIPAA privacy and security protections for both covered entities and business associates Final Rule Modifies Interim Breach Notification Rule But first, some background information
3 HIPAA Background -Security and Privacy Rules- The Health Insurance Portability and Accountability Act of 1996 HHS to protect privacy and security of PHI including ephi Hence - HIPAA Privacy Rule and the HIPAA Security Rule EHR adoption increases risks HIPAA game-changer
4 Security Rule Goal: Protect privacy of individual s ephi while allowing the adoption of new technologies to improve the quality and efficiency of patient care. Landscape: The EHR marketplace is diverse. Organizations have different risks. One size does not fit all Method: The Security Rule is flexible and scalable to allow the implementation of policies, procedures, and technologies to suit the organization and risk to ephi.
5 Security Rule Main Components Risk Analysis and Management State Law Administrative Safeguards Policies & Procedures Documentation Requirements Physical Safeguards Organizational Requirements Technical Safeguards Enforcement and Penalties for Noncompliance New Omnibus Regulations and Compliance Dates
6 Omnibus Key Points Key Highlights of the HITECH/GINA Updates to HIPAA Privacy and Security Requirements: Business associates must follow the Security Rule for electronic protected health information. Business associates have business associate agreements with their subcontractors who must also follow the security rule for electronic protected health information (PHI). Covered entities do not have business associate agreements with business associates contractors. Marketing requires an authorization. Financial remuneration is defined. Exceptions to marketing are still in place. Business associates must obtain authorizations prior to marketing. Grandfather clause for business associate agreement transition Sale of PHI Source:
7 Omnibus Key Points Key Highlights of the HITECH/GINA Updates to HIPAA Privacy and Security Requirements (Continued): Compound authorizations for research Authorizing future research for use or disclosure Any individually identifiable health information of a person deceased more than 50 years is no longer considered PHI under the Privacy Rule. Covered entities are now permitted to disclose a decedent s PHI to family members and others who were involved in the care or payment for care of a decedent prior to death, unless doing so is inconsistent with any prior expressed preference of the individual that is known to the CE. Covered entities can disclose proof of immunization to a school where state or other law requires it prior to admitting a student. Written authorization is no longer required, but an agreement must still be obtained, which can be oral. The Notice of Privacy Practices must be revised and redistributed. Required restriction to health plan Access to electronic PHI Source:
8 Omnibus Key Points Key Highlights of the HITECH/GINA Updates to HIPAA Privacy and Security Requirements (Continued): Covered entities must provide the recipient of any fundraising communication with a clear and conspicuous opportunity to opt out of receiving any further fundraising communications and that the individual s choice to opt out is treated as a revocation of authorization under the privacy rule. Genetic information may not be used or disclosed for underwriting purposes. The Breach Notification Rule s harm threshold is removed and replaced with a more objective standard. Form and format of electronic copies Fees for paper and electronic copies Timeliness for paper and electronic records Title I of GINA required the Secretary to revise the HIPAA Privacy Rule. Genetic information is health information. Excludes long-term care plans from the underwriting prohibition Source:
9 Omnibus IT Concerns BAA must be updated for new engagements enforced September 23, 2013 BAA must be updated for existing engagements enforced September 23, 2014 Security and Privacy Rules Protections Increased OCR enforcement strengthened Breach notification rule significantly altered
10 OCR Audits Office of the Civil Rights Authority increased with Omnibus ARRA HITECH Act requires HHS to provide for periodic audits Ensures compliance with the HIPAA Privacy and Security Rules and Breach Notification standards. OCR piloted a program to perform 115 audits of covered entities to assess privacy and security compliance. Pilot phase began November 2011 and concluded in December Risk Assessment essential in future audits
11 How OCR Facilitates Balanced Policy Public Awareness Compliance Tools Enforcement Privacy Access Security Rule/Risk Analysis Complaints/Higher Penalties Under HITECH Security Fact Sheets Mobile Devices Video Breach Reporting YouTube ONC Collaborations Audit De-Identification Guidance State Attorneys General
12 OCR Common Areas of Concern Risk Assessment Currency of Policies and Procedures Security Awareness and Training Workforce Clearance Workstation Security Encryption Business Associate Contracts and Other Arrangements What OCR looks for in an audit
13 Breach Stats The health information privacy of more than 21M has been reported to have been breached in United States since September of 2009 More than the entire population of Florida (2012 OCR statistics) 94% of health care organizations surveyed experienced at least one data breach in past two years - 45% had more than 5 incidents The average economic impact of a breach is $2.4 million The US per record cost of data breach averages $194 54% of organizations have little or no confidence they can detect all patient data loss or theft (Ponemon Institute - Dec. 2012) 51% of CEOs surveyed say their company experiences cyber attacks hourly or daily 77% of UK systems developers surveyed use real production data when developing applications 68% of US companies permit employee-owned devices in the workplace 60% of employees circumvent security features on their mobile devices The top three causes of a data breach are lost or stolen computing devices, employee mistakes, and third party mistakes
14 Breach Rules Replacement of the harm standard with a risk assessment previously underreported and subjective The covered entity or business associate has the burden to prove that an unauthorized disclosure is not a breach Exemptions exist (unintentional use in good faith within scope of authority without further impermissible disclosure, inadvertent disclosure to an authorized person, unauthorized person not easily retained PHI) Use or disclosure of PHI that is not permitted by the rule is presumed to be a breach unless the covered entity or business associate demonstrates a low probability that the PHI has been compromised based on a risk assessment containing four elements:
15 4 Standards Determine Breach What was the nature and extent of PHI? How much clinical information was involved, could it be used in a manner adverse to the individual or to further the recipient s interests, can the patients be identified, does it involve sensitive information such as mental health, sexually transmitted diseases, substance abuse? Who is the unauthorized person who used PHI or to whom disclosed? Do they have an obligation to protect privacy and security of the PHI, were dates and types of health services impermissibly disclosed to an employer? Was the PHI actually acquired and used? Was PHI viewed or was there only an opportunity, was the information on a stolen laptop accessed, viewed, acquired, transferred or otherwise compromised, did the recipient open and read mail sent to the wrong address? Has the risk to the PHI been mitigated? Have satisfactory assurances been obtained from the recipient (through a confidentiality agreement or otherwise) that the PHI will not be further used or disclosed?
16 Notification If notification of a breach is required, the covered entity is required to notify all affected individuals within 60 calendar days of the discovery of the breach Wall of Shame HHS website features breaches of 500 or more individuals Individual Notice if 10 cannot be contacted, post to website or local media Media Notice 500 or more individuals state media as press release Secretary Notice 500 or more individuals within 60 days via website form Secretary Notice fewer than 500 within 60 days of calendar year
17 Breach Highlights From September 2009 through January 7, 2013: 525 reports involving over 500 individuals Over 64,000 reports involving under 500 individuals Top types of large breaches Theft Unauthorized Access/Disclosure Loss Top locations for large breaches Laptops Paper Records Desktop Computers Portable Electronic Device
18 Safe Harbour Unencrypted data is not considered safe Encrypted data prevents unauthorized access/breach Data transmission should always use encryption Laptops will be encrypted All other mobile devices should be encrypted phones, tablets, etc - Mobile Iron for hardening NYP even encrypting desktops following Columbia University incident Encryption coming soon to Encryption on USB Keys, backups maybe in future? NIST Standard AES Secret (128 bit) Top Secret (256 bit) 31,536,000 years to crack 128 bit using current technology
19 Fines For Violations VIOLATION TYPE EACH VIOLATION REPEAT VIOLATIONS/YR Did Not Know $100 $50,000 $1,500,000 Reasonable Cause Willful Neglect Corrected Willful Neglect Not Corrected $1,000 $50,000 $10,000 $50,000 $1,500,000 $1,500,000 $50,000 $1,500,000
20 Post HITECH Enforcement Actions Cignet Health (MD) Denied patients the right of access to medical records Failed to respond to OCR s investigation Only CMP levied by HHS Massachusetts General Hospital Employee lost paper health records on public transit Privacy Rule standards to control employee access/removal of PHI from workplace Safeguards to PHI in all forms when off-premises UCLA Health System Repeated incidents of unauthorized access to e-phi by workforce members Assess threats/vulnerabilities and implement safeguards to reduce risk to confidentiality of e-phi
21 Post HITECH Enforcement Actions Phoenix Cardiac Surgery E-PHI disclosed through Internet when provider used third party application hosted in the cloud Business associate agreements required when sharing data with cloud computing service providers BCBS Tennessee E-PHI stored on servers stolen from deactivated data center after construction/relocation to new facility Reevaluate threats/vulnerabilities to e-phi caused by changing operational environment and manage risk Alaska DHSS Portable storage device stolen from personal vehicle symptomatic of widespread failure to implement program-wide information security safeguards
22 Post HITECH Enforcement Actions Massachusetts Eye and Ear Institute Stolen personal laptop of physician using device as desktop substitute Covered entity had not implemented a program to mitigate identified risks to e-phi Encrypt data stored on end-user devices Hospice of Northern Idaho Breach affecting 400 individuals when laptop stolen Provider had not conducted a risk assessment or taken other measures to safeguard e-phi as required by Security Rule
23 What? Me Worry? HIPAA violation penalties can include both monetary fines and prison time Oregon nursing assistant - 8 days for posting photos on social media website UCLA researcher 4 months for accessing co-workers records after separation of employment Scales up to $500K and 10 years
24 Hospital Security Work Plan HIPAA Requirements and Beyond
25 Hospital Security Program
26 Hospital Security Work Plan Key Endeavours Risk Assessments Encryption Disaster Recovery
27 Policy Revision Policies in catalogue Policies match Security Rule regulations Addressable Policies Show regulation is being addressed Required Policies More prescriptive in nature Policies categorized as: Administrative Physical Technical May I see the policies?
28 Administrative Safeguards ADMINISTRATIVE SAFEGUARDS Standards Sections Implementation Specifications R=Required, A=Addressable Policy Number Policy Name Security Management Process (1) Risk Analysis R Risk Analysis Risk Management R Security Management Process Sanction Policy R Security Management Process Activity Review R Security Management Process Assigned Security Responsibility (2) R Assigned Security Responsibility Workforce Security (3) Authorization and/or Supervision A 9237( and ) See: Human Resources Policies On Intranet Workforce Clearance Procedure A 9237( and ) See: Human Resources Policies On Intranet Termination Procedures A 9237( and ) See: Human Resources Policies On Intranet Information Access Management (a)(4) Isolating Health Care Clearinghouse Functions R Isolating Health Care Clearinghouse Functions Access Authorization A Access Authorization Access Establishment and Modification A Access Establishment and Modification Security Awareness and Training (a)(5) Security Reminders A Security Reminders Protection from Malicious Software A Protection from Malicious Software Log-in Monitoring A Log-in Monitoring Password Management A Password Management Security Incident Procedures (a)(6) Response and Reporting R Response and Reporting Contingency Plan (a)(7) Data Backup Plan R Contingency Plan Disaster Recovery Plan R Contingency Plan Emergency Mode Operation Plan R Contingency Plan Testing and Revision Procedures A Contingency Plan Applications and Data Criticality Analysis A Contingency Plan Evaluation (a)(8) R Evaluation Business Associate Contracts and Other Arrangements (b)(1) Written Contract or Other Arrangement R Business Associate Agreements
29 Physical Safeguards PHYSICAL SAFEGUARDS Standards Sections Implementation Specifications R=Required, A=Addressable Policy Number Policy Name Facility Access Controls (a)(1) Contingency Operations A Contingency Operations Facility Security Plan A Facility Security Plan Access Control and Validation Procedures A Access Control and Validation Procedures Maintenance Records A Maintenance Records Workstation Use (b) Acceptable Use Policy R Acceptable Use Policy Workstation Security (c) R Workstation Security Device and Media Controls (d)(1) Disposal R Device and Media Controls Media Re-use R Device and Media Controls Accountability A Device and Media Controls Data Backup and Storage A Device and Media Controls
30 Technical Safeguards TECHNICAL SAFEGUARDS Standards Sections Implementation Specifications R=Required, A=Addressable Policy Number Policy Name Access Control (a)(1) Unique User Identification R Unique User Identification Emergency Access Procedure R Emergency Access Procedure Automatic Logoff A Automatic Logoff Encryption and Decryption A Encryption Audit Controls (b) R Audit Controls Integrity (c)(1) Mechanism to Authenticate Electronic Protected Health Information A Mechanism to Authenticate Electronic Protected Health Information Person or Entity Authentication (d) R Person or Entity Authentication Transmission Security (e)(1) Integrity Controls A Integrity Controls Encryption A Encryption
31 HIPAA SECURITY RISK ASSESSMENTS The Security Circle of Life Continues
32 Risk Assessments Rules Risk Analysis (a)(1)(ii)(A) conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity. Risk Management (a)(1)(ii)(B) implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with (a) [(the General Requirements of the Security Rule)]. NB: Rules ambiguous on manner or frequency
33 Risk Analysis Plan Policies and Procedures Match HIPAA Security Rules Analysis Tools From Gov t and Expert Consultant Examine Vulnerability, Threat, Risk Recommend Risk Management Controls Assess Validate Control Mechanisms, Re-Analyze Per Schedule Application Catalogue Incl. All Apps w/ ephi and PII Allscripts eclinicalworks Nextgen PICIS Eagle Others to follow Enterprise-Wide Risk Assessment IT-Specific Risk Assessment Including Vulnerability Scanning & Penetration Testing
34 Encryption Program Laptops Desktops BYOD USB Drives Backup Tapes Data At Rest Vendor Software Cloud Strategies Interfaces RHIO Data In Motion Encrypted Data = Safe Data Unusable unreadable -indecipherable
35 Disaster Recovery Strategy In 2013 Define Needs Identify Risk Design Controls Plan Monitoring Vendor Selection Process Implementation In 2014 Vendor-Hospital Solution Manage Uptime Manage Downtime Assess Risk Mitigation Monitor Distant Early Warning BASED UPON RESULTS OF RISK ASSESSMENTS
36 This Concludes The Presentation
37 Questions? Keith Richard Weiner
HIPAA Security and Privacy Policies & Procedures
Component of HIPAA Security Policy and Procedures Templates (Updated for HITECH) Total Cost: $495 Our HIPAA Security policy and procedures template suite have 71 policies and will save you at least 400
More informationPolicy and Procedure: SDM Guidance for HIPAA Business Associates
Policy and Procedure: SDM Guidance for HIPAA Business (Adapted from UPMC s Guidance for Business at http://www.upmc.com/aboutupmc/supplychainmanagement/documents/guidanceforbusinessassociates.pdf) Effective:
More informationUpdate on HIPAA Administration and Enforcement. Marissa Gordon-Nguyen, JD, MPH October 7, 2016
Update on HIPAA Administration and Enforcement Marissa Gordon-Nguyen, JD, MPH October 7, 2016 Updates Policy Development Breaches Enforcement Audit 2 POLICY DEVELOPMENT RECENTLY PUBLISHED: RIGHT OF ACCESS,
More informationDATA PRIVACY & SECURITY THE CHANGING HIPAA CLIMATE
DATA PRIVACY & SECURITY THE CHANGING HIPAA CLIMATE Melodi (Mel) M. Gates mgates@pattonboggs.com (303) 894-6111 October 25, 2013 THE CHANGING PRIVACY CLIMATE z HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY
More informationHIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp
HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp Agenda Introductions HIPAA Background and History Overview of HIPAA Requirements
More informationHIPAA-HITECH: Privacy & Security Updates for 2015
South Atlantic Regional Annual Conference Orlando, FL February 6, 2015 1 HIPAA-HITECH: Privacy & Security Updates for 2015 Darrell W. Contreras, Esq., LHRM Gregory V. Kerr, CHPC, CHC Agenda 2 OCR On-Site
More informationBoerner Consulting, LLC Reinhart Boerner Van Deuren s.c.
Catherine M. Boerner, Boerner Consulting LLC Heather Fields, 1 Discuss any aggregate results of the desk audits Explore the Sample(s) Requested and Inquire of Management requests for the full on-site audits
More informationHospital Council of Western Pennsylvania. June 21, 2012
Updates on OCR s HIPAA Enforcement and Regulations Hospital Council of Western Pennsylvania June 21, 2012 Topics HIPAA Privacy and Security Rule Enforcement HITECH Breach Notification OCR Audit Program
More informationSecurity and Privacy Breach Notification
Security and Privacy Breach Notification Version Approval Date Owner 1.1 May 17, 2017 Privacy Officer 1. Purpose To ensure that the HealthShare Exchange of Southeastern Pennsylvania, Inc. (HSX) maintains
More informationThe HIPAA Omnibus Rule
The HIPAA Omnibus Rule What You Should Know and Do as Enforcement Begins Rebecca Fayed, Associate General Counsel and Privacy Officer Eric Banks, Information Security Officer 3 Biographies Rebecca C. Fayed
More informationBreach Notification Remember State Law
Breach Notification HITECH: First federal law mandating breach notification for health care industry Applies to covered entities, business associates, PHR vendors, and PHR service providers FTC regulates
More informationPutting It All Together:
Putting It All Together: The Interplay of Privacy & Security Regina Verde, MS, MBA, CHC Chief Corporate Compliance & Privacy Officer University of Virginia Health System 2017 ISPRO Conference October 24,
More informationInto the Breach: Breach Notification Requirements in the Wake of the HIPAA Omnibus Rule
Into the Breach: Breach Notification Requirements in the Wake of the HIPAA Omnibus Rule The Twenty-Second National HIPAA Summit Healthcare Privacy and Security After HITECH and Health Reform Rebecca Williams,
More informationSecurity Rule for IT Staffs. J. T. Ash University of Hawaii System HIPAA Compliance Officer
Security Rule for IT Staffs J. T. Ash University of Hawaii System HIPAA Compliance Officer jtash@hawaii.edu hipaa@hawaii.edu Disclaimer HIPAA is a TEAM SPORT and everyone has a role in protecting protected
More informationHIPAA Privacy, Security and Breach Notification
HIPAA Privacy, Security and Breach Notification HCCA East Central Regional Annual Conference October 2013 Disclaimer The information contained in this document is provided by KPMG LLP for general guidance
More informationHIPAA & Privacy Compliance Update
HIPAA & Privacy Compliance Update Vermont Medical Society FREE Wednesday Webinar Series March 15, 2017 Anne Cramer and Shireen Hart Primmer Piper Eggleston & Cramer PC acramer@primmer.com shart@primmer.com
More informationHIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017
HIPAA How to Comply with Limited Time & Resources Jonathan Pantenburg, MHA, Senior Consultant JPantenburg@Stroudwater.com August 17, 2017 Stroudwater Associates is a leading national healthcare consulting
More informationLessons Learned from Recent HIPAA Enforcement Actions, Breaches, and Pilot Audits
Lessons Learned from Recent HIPAA Enforcement Actions, Breaches, and Pilot Audits Iliana L. Peters, J.D., LL.M. Senior Advisor for HIPAA Compliance and Enforcement OCR RULEMAKING UPDATE What s s Done?
More informationThe Relationship Between HIPAA Compliance and Business Associates
The Relationship Between HIPAA Compliance and Business Associates 1 HHS Wall of Shame 20% Involved Business Associates Based on HHS Breach Portal: Breaches Affecting 500 or More Individuals, Type of Breach
More informationFederal Breach Notification Decision Tree and Tools
Federal Breach Notification and Tools Disclaimer This document is copyright 2009 by the Long Term Care Consortium (LTCC). These materials may be reproduced and used only by long-term health care providers
More informationIncident Response: Are You Ready?
Incident Response: Are You Ready? Chris Apgar, CISSP Apgar & Associates, LLC 2014 Security Incident vs. Breach Overview Security Incident Planning and Your Team Final Breach Notification Rule a refresher
More information(c) Apgar & Associates, LLC
Incident Response: Are You Ready? Chris Apgar, CISSP Apgar & Associates, LLC 2014 Security Incident vs. Breach Overview Security Incident Planning and Your Team Final Breach Notification Rule a refresher
More informationHIPAA ( ) HIPAA 2017 Compliancy Group, LLC
855 85 HIPAA (855-854-4722) www.compliancygroup.com 1 Started in 2005 by HIPAA auditors & Compliance experts Market need for a total end client solution Created The Guard: cloud-based solution Compliance
More informationDavid C. Marshall, Esq. PACAH 2017 Spring Conference April 27, 2017
David C. Marshall, Esq. PACAH 2017 Spring Conference April 27, 2017 Privacy and security of patient information held by health care providers remains a concern of the federal government. More resources
More informationSecuring IT Infrastructure Improve information exchange and comply with HIPAA, HITECH, and ACA mandates
Securing IT Infrastructure Improve information exchange and comply with HIPAA, HITECH, and ACA mandates Ruby Raley, Director Healthcare Solutions Axway Agenda Topics: Using risk assessments to improve
More informationHow to Respond to a HIPAA Breach. Tuesday, Oct. 25, 2016
How to Respond to a HIPAA Breach Tuesday, Oct. 25, 2016 This Webinar is Brought to You By. About HealthInsight and Mountain-Pacific Quality Health HealthInsight and Mountain-Pacific Quality Health are
More informationWhat s New with HIPAA? Policy and Enforcement Update
What s New with HIPAA? Policy and Enforcement Update HHS Office for Civil Rights New Initiatives Precision Medicine Initiative (PMI), including Access Guidance Cybersecurity Developer portal NICS Final
More informationUniversity of Wisconsin-Madison Policy and Procedure
Page 1 of 10 I. Policy The Health Information Technology for Economic and Clinical Health Act regulations ( HITECH ) amended the Health Information Portability and Accountability Act ( HIPAA ) to establish
More informationWHITE PAPER. HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty
WHITE PAPER HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty WHITE PAPER HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty By Jill Brooks, MD, CHCO and Katelyn Byrne, BSN, RN Data Breaches
More informationHIPAA Federal Security Rule H I P A A
H I P A A HIPAA Federal Security Rule nsurance ortability ccountability ct of 1996 HIPAA Introduction - What is HIPAA? HIPAA = The Health Insurance Portability and Accountability Act A Federal Law Created
More informationUpdate on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules
Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules Marissa Gordon-Nguyen Office for Civil Rights (OCR) U.S. Department of Health and Human Services June
More informationHIPAA in 2017: Hot Topics You Can t Ignore. Danika Brinda, PhD, RHIA, CHPS, HCISPP March 16, 2017
HIPAA in 2017: Hot Topics You Can t Ignore Danika Brinda, PhD, RHIA, CHPS, HCISPP March 16, 2017 Breach Notification State Law Privacy Rule Authorizations Polices and Procedures The Truth Is Have created
More informationHIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED
HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED HEALTHCARE ORGANIZATIONS ARE UNDER INTENSE SCRUTINY BY THE US FEDERAL GOVERNMENT TO ENSURE PATIENT DATA IS PROTECTED Within
More informationAgenda. Hungry, Hungry HIPAA: Security, Enforcement, Audits, & More. Health Law Institute
Health Law Institute Hungry, Hungry HIPAA: Security, Enforcement, Audits, & More Brooke Bennett Aziere October 18, 2017 Agenda Enforcement Trends Phase 2 HIPAA Audits Upcoming Initiatives 1 Enforcement
More informationHIPAA FOR BROKERS. revised 10/17
HIPAA FOR BROKERS revised 10/17 COURSE PURPOSE The purpose of this information is to help ensure that all Optima Health Brokers are prepared to protect the privacy and security of our members health information.
More informationHIPAA Security Checklist
HIPAA Security Checklist The following checklist summarizes the HIPAA Security Rule requirements that should be implemented by both covered entities and business associates. The citations are to 45 CFR
More informationHIPAA Security Checklist
HIPAA Security Checklist The following checklist summarizes the HIPAA Security Rule requirements that should be implemented by both covered entities and business associates. The citations are to 45 CFR
More informationNeil Peters-Michaud, CHAMP Cascade Asset Management ITAM Awareness Month December 2016
Breach New Heights The role of ITAM in preventing a data breach Neil Peters-Michaud, CHAMP Cascade Asset Management ITAM Awareness Month December 2016 Agenda Why Breaches Matter to the ITAM group The cost
More informationHIPAA Security. 3 Security Standards: Physical Safeguards. Security Topics
HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical
More informationHIPAA Security. 1 Security 101 for Covered Entities. Security Topics
HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical
More informationDecrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use
Click to edit Master title style Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use Andy Petrovich, MHSA, MPH M-CEITA / Altarum Institute October 1, 2014 10/1/2014 1 1 Who is
More informationHIPAA Compliance Officer Training By HITECH Compliance Associates. Building a Culture of Compliance
HIPAA Compliance Officer Training By HITECH Compliance Associates Building a Culture of Compliance Your Instructor Is Michael McCoy Nationally Recognized HIPAA Expert » Nothing contained herein should
More informationAll Aboard the HIPAA Omnibus An Auditor s Perspective
All Aboard the HIPAA Omnibus An Auditor s Perspective Rick Dakin CEO & Chief Security Strategist February 20, 2013 1 Agenda Healthcare Security Regulations A Look Back What is the final Omnibus Rule? Changes
More informationHow Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq.
How Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq. Word Count: 2,268 Physician practices have lived with the reality of HIPAA for over twenty years. In that time, it has likely
More informationCore Elements of HIPAA The Privacy Rule establishes individuals privacy rights and addresses the use and disclosure of protected health information ( PHI ) by covered entities and business associates The
More informationA HIPAA Compliance and Enforcement Update from the HHS Office for Civil Rights Session #24, 10:00 a.m. 11:00 a.m. March 6, 2018 Roger Severino, MSPP,
A HIPAA Compliance and Enforcement Update from the HHS Office for Civil Rights Session #24, 10:00 a.m. 11:00 a.m. March 6, 2018 Roger Severino, MSPP, JD Director, HHS Office for Civil Rights Nicholas Heesters,
More informationElements of a Swift (and Effective) Response to a HIPAA Security Breach
Elements of a Swift (and Effective) Response to a HIPAA Security Breach Susan E. Ziel, RN BSN MPH JD Krieg DeVault LLP Past President, The American Association of Nurse Attorneys Disclaimer The information
More informationHIPAA COMPLIANCE AND DATA PROTECTION Page 1
HIPAA COMPLIANCE AND DATA PROTECTION info@resultstechnology.com 877.435.8877 Page 1 CONTENTS Introduction..... 3 The HIPAA Security Rule... 4 The HIPAA Omnibus Rule... 6 HIPAA Compliance and RESULTS Cloud
More informationInside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D.
Inside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D. HIPAA GENERAL RULE PHI may not be disclosed without patient authorization
More informationUpdate on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules
Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules Wandah Hardy, RN BSN, MPA Equal Opportunity Specialist/Investigator Office for Civil Rights (OCR)
More information3/24/2014. Agenda & Objectives. HIPAA Security Rule. Compliance Institute. Background and Regulatory Overlay. OCR Statistics/
Compliance Institute Session 501: Implementing a System-Wide Access Monitoring Program Brian D. Annulis Meade, Roach & Annulis, LLP Aegis Compliance & Ethics Center, LLP 4147 N. Ravenswood Avenue Suite
More informationHIPAA Security Rule Policy Map
Rule Policy Map Document Information Identifier Status Published Published 02/15/2008 Last Reviewed 02/15/1008 Last Updated 02/15/2008 Version 1.0 Revision History Version Published Author Description
More informationHIPAA Tips and Advice for Your. Medical Practice
HIPAA Tips and Advice for Your Ericka L. Adler Medical Practice Rachel V. Rose WHY Header HIPAA PATIENT and Medical PORTALS? Practices HIPAA Basics Who is a covered entity? What is PHI? When can you disclose
More informationEXHIBIT A. - HIPAA Security Assessment Template -
Department/Unit: Date: Person(s) Conducting Assessment: Title: 1. Administrative Safeguards: The HIPAA Security Rule defines administrative safeguards as, administrative actions, and policies and procedures,
More informationHIPAA Privacy, Security and Breach Notification 2018
HIPAA Privacy, Security and Breach Notification 2018 An Eagle Associates Presentation Eagle Associates, Inc. www.eagleassociates.net info@eagleassociates.net P.O. Box 1356 Ann Arbor, MI 48106 800-777-2337
More informationHIPAA Privacy, Security and Breach Notification 2017
HIPAA Privacy, Security and Breach Notification 2017 An Eagle Associates Presentation Eagle Associates, Inc. www.eagleassociates.net info@eagleassociates.net P.O. Box 1356 Ann Arbor, MI 48106 800-777-2337
More informationPerforming HIPAA Security Reviews
Performing HIPAA Security Reviews H PAA Mike Cullen, Baker Tilly Session objectives > Define HIPAA and provide security overview > Understand that HIPAA applies beyond healthcare entities and discuss key
More informationIT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I
Standards Sections Checklist Section Security Management Process 164.308(a)(1) Information Security Program Risk Analysis (R) Assigned Security Responsibility 164.308(a)(2) Information Security Program
More informationHIPAA/HITECH Privacy & Security Checklist Assessment HIPAA PRIVACY RULE
164.502 Develop "minimum necessary" policies for: HIPAA PRIVACY RULE 164.514 - Uses 15 Exempts disclosure for the purpose of treatment from the minimum necessary standard. Page references for - Routine
More informationHIPAA Compliance Checklist
HIPAA Compliance Checklist Hospitals, clinics, and any other health care providers that manage private health information today must adhere to strict policies for ensuring that data is secure at all times.
More informationHIPAA Privacy & Security Training. Privacy and Security of Protected Health Information
HIPAA Privacy & Security Training Privacy and Security of Protected Health Information Course Competencies: This training module addresses the essential elements of maintaining the HIPAA Privacy and Security
More informationHIPAA Privacy, Security Lessons from 2016 and What's Next in 2017
HIPAA Privacy, Security Lessons from 2016 and What's Next in 2017 Session 9, February 20, 2017 Deven McGraw, Deputy Director, Health Information Privacy HHS Office for Civil Rights 1 Speaker Introduction
More informationDon t Be the Next Headline! PHI and Cyber Security in Outsourced Services.
Don t Be the Next Headline! PHI and Cyber Security in Outsourced Services. June 2017 Melanie Duerr Fazzi Associates Partner, Director of Coding Operations Jami Fisher Fazzi Associates Chief Information
More informationHealthcare Privacy and Security:
Healthcare Privacy and Security: Breach prevention and mitigation/ Insuring for breach Colin J. Zick Foley Hoag LLP (617) 832-1000 www.foleyhoag.com www.securityprivacyandthelaw.com Boston Bar Association
More informationQUALITY HIPAA December 23, 2013
December 23, 2013 Page 1 of 5 Breach, HIPAA and Protected Health Information This week, we look at the rules governing HIPAA, the HITECH Act and HIPAA Omnibus Rule. Unsecured PHI means Protected Health
More informationCYBERSECURITY. Recent OCR Actions & Cyber Awareness Newsletters. Claire C. Rosston
CYBERSECURITY Recent OCR Actions & Cyber Awareness Newsletters Claire C. Rosston DISCLAIMER This presentation is similar to any other legal education materials designed to provide general information on
More informationENCRYPTION: ADDRESSABLE OR A DE FACTO REQUIREMENT?
ENCRYPTION: ADDRESSABLE OR A DE FACTO REQUIREMENT? Jonathan Carroll, MBA, CISSP AVP Enterprise IT Operations Information Security Officer University of Connecticut Why Are We Talking About This? Data breaches
More informationTerms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in the HIPAA Privacy Rule.
Medical Privacy Version 2018.03.26 Business Associate Agreement This Business Associate Agreement (the Agreement ) shall apply to the extent that the Lux Scientiae HIPAA Customer signee is a Covered Entity
More informationHIPAA and HIPAA Compliance with PHI/PII in Research
HIPAA and HIPAA Compliance with PHI/PII in Research HIPAA Compliance Federal Regulations-Enforced by Office of Civil Rights State Regulations-Texas Administrative Codes Institutional Policies-UTHSA HOPs/IRB
More informationHIPAA Security Manual
2010 HIPAA Security Manual Revised with HITECH ACT Amendments Authored by J. Kevin West, Esq. 2010 HALL, FARLEY, OBERRECHT & BLANTON, P.A. DISCLAIMER This Manual is designed to set forth general policies
More informationThese rules are subject to change periodically, so it s good to check back once in a while to make sure you re still compliant.
HIPAA Checklist There are 3 main parts to the HIPAA Security Rule. They include technical safeguards, physical safeguards, and administrative safeguards. This document strives to summarize the requirements
More informationORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers
All Affiliate Research Policy Subject: HIPAA File Under: For Researchers ORA HIPAA Issuing Department: Office of Research Administration Original Policy Date Page 1 of 5 Approved by: May 9,2005 Revision
More informationThe ABCs of HIPAA Security
The ABCs of HIPAA Security Daniel F. Shay, Esq 24 th Annual Health Law Institute Pennsylvania Bar Institute March 13, 2018 c. 2018 Alice G. Gosfield and Associates PC 1 Daniel F. Shay, Esq. Alice G. Gosfield
More informationDON T GET STUNG BY A BREACH! WHAT'S NEW IN HIPAA PRIVACY AND SECURITY
DON T GET STUNG BY A BREACH! WHAT'S NEW IN HIPAA PRIVACY AND SECURITY Practice Areas: Healthcare Labor and Employment JASON YUNGTUM jyungtum@clinewilliams.com (402) 397 1700 Practice Areas: Healthcare
More informationThe simplified guide to. HIPAA compliance
The simplified guide to HIPAA compliance Introduction HIPAA, the Health Insurance Portability and Accountability Act, sets the legal requirements for protecting sensitive patient data. It s also an act
More informationHIPAA Privacy and Security. Kate Wakefield, CISSP/MLS/MPA Information Security Analyst
HIPAA Privacy and Security Kate Wakefield, CISSP/MLS/MPA Information Security Analyst Kwakefield@costco.com Presentation Overview HIPAA Legislative history & key dates. Who is affected? Employers too!
More informationHIPAA For Assisted Living WALA iii
Table of Contents The Wisconsin Assisted Living Association... ix Mission... ix Vision... ix Values... ix Acknowledgments... ix Who Should Use This Manual... x How to Use This Manual... x Updates and Forms...
More informationSeven gray areas of HIPAA you can t ignore
White Paper: HIPAA Gray Areas Seven gray areas of HIPAA you can t ignore This guide exists to shed some light on some of the gray areas of HIPAA (the Health Insurance Portability and Accountability Act).
More informationHIPAA Audit Don t just bet the odds Good luck is a residue of preparation. Jack Youngblood
HIPAA Audit Don t just bet the odds Good luck is a residue of preparation. Jack Youngblood Braun Tacon Process Architect / Auditor Owner: www.majorincidenthandling.com Winning Lotto.1 in 175 Million Attacked
More informationA Panel Discussion. Nancy Davis
A Panel Discussion 1 Nancy Davis Director of Compliance & Safety, Door County Medical Center Cathy Hansen Director, Health Information Services & Privacy Officer, St. Croix Regional Medical Center Rhonda
More informationUniversity of Pittsburgh Security Assessment Questionnaire (v1.7)
Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.7) Directions and Instructions for completing this assessment The answers provided
More informationThe HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance
The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance Russell L. Jones Partner Health Sciences Sector Deloitte & Touche LLP Security & Privacy IMLA 2013 Annual Conference San
More informationefolder White Paper: HIPAA Compliance
efolder White Paper: HIPAA Compliance November 2015 Copyright 2015, efolder, Inc. Abstract This paper outlines how companies can use certain efolder services to facilitate HIPAA and HITECH compliance within
More informationHIPAA COMPLIANCE AND
INTRONIS MSP SOLUTIONS BY BARRACUDA HIPAA COMPLIANCE AND DATA PROTECTION CONTENTS Introduction... 3 The HIPAA Security Rule... 4 The HIPAA Omnibus Rule... 6 HIPAA Compliance and Intronis Cloud Backup and
More informationPrivacy Breach Policy
1. PURPOSE 1.1 The purpose of this policy is to guide NB-IRDT employees and approved users on how to proceed in the event of a privacy breach, and to demonstrate to stakeholders that a systematic procedure
More informationEnforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance
Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance Iliana Peters, JD, LLM, HHS Office for Civil Rights Kevin
More informationAudits Accounting of disclosures
Once more unto the breach Mastering HIPAA s data breach notification requirements September 20, 2011 Presented by: Kathy Kenady Senior Loss Prevention Representative Medical Insurance Exchange of California
More informationA Security Risk Analysis is More Than Meaningful Use
A Security Risk Analysis is More Than Meaningful Use An Eagle Associates Presentation Eagle Associates, Inc. www.eagleassociates.net P.O. Box 1356 Ann Arbor, MI 48106 800-777-2337 Introduction Eagle Associates,
More informationHIPAA/HITECH Act Update HCCA South Central Regional Annual Conference December 2, Looking Back at 2011
HIPAA/HITECH Act Update HCCA South Central Regional Annual Conference December 2, 2012 Phyllis F. Granade The Granade Law Firm Atlanta, GA (678) 705 2507 pgranade@granadelaw.com www.granadelaw.com Looking
More informationCERT Symposium: Cyber Security Incident Management for Health Information Exchanges
Pennsylvania ehealth Partnership Authority Pennsylvania s Journey for Health Information Exchange CERT Symposium: Cyber Security Incident Management for Health Information Exchanges June 26, 2013 Pittsburgh,
More informationA Checklist for Compliance in the Cloud 1. A Checklist for Compliance in the Cloud
A Checklist for Compliance in the Cloud 1 A Checklist for Compliance in the Cloud A Checklist for Compliance in the Cloud 1 With the industrialization of hacking and the enormous impact of security breaches,
More informationHIPAA and the Chiropractic Practice
Back to Chiropractic CE Seminars Welcome: This course is approved for 2 Hours of CE for Ethics & Law (HIPAA and the Chiropractic Practice) for the Chiropractic Board of Examiners for the state of California.
More informationLatest Legal Threat for Providers Protecting Private Information in Text Messages, s and Other Electronic Transmissions
Presenting a live 90 minute webinar with interactive Q&A Portable Electronic Devices in Healthcare: Latest Legal Threat for Providers Protecting Private Information in Text Messages, Emails and Other Electronic
More informationHIPAA Cloud Computing Guidance
HIPAA Cloud Computing Guidance Adam Greene, JD, MPH Partner Rebecca Williams, BSN, JD Partner Nature is a mutable cloud which is always and never the same Ralph Waldo Emerson 2 Agenda A few historical
More informationHIPAA. Developed by The University of Texas at Dallas Callier Center for Communication Disorders
HIPAA Developed by The University of Texas at Dallas Callier Center for Communication Disorders Purpose of this training Everyone with access to Protected Health Information (PHI) must comply with HIPAA
More informationCloud Communications for Healthcare
Cloud Communications for Healthcare Today, many powerful business communication challenges face everyone in the healthcare chain including clinics, hospitals, insurance providers and any other organization
More informationHIPAA Privacy & Security Training. HIPAA The Health Insurance Portability and Accountability Act of 1996
HIPAA Privacy & Security Training HIPAA The Health Insurance Portability and Accountability Act of 1996 AMTA confidentiality requirements AMTA Professional Competencies 20. Documentation 20.7 Demonstrate
More informationHIPAA FINAL SECURITY RULE 2004 WIGGIN AND DANA LLP
SUMMY OF HIP FINL SECUITY ULE 2004 WIGGIN ND DN LLP INTODUCTION On February 20, 2003, the Department of Health and Human Services ( HHS ) published the final HIP security standards, Health Insurance eform:
More informationHIPAA Enforcement Training for State Attorneys General
: HIPAA Security Fundamentals HIPAA Enforcement Training for State Attorneys General Module Introduction : Introduction This module discusses: The three objectives of health information security confidentiality
More informationSupport for the HIPAA Security Rule
white paper Support for the HIPAA Security Rule PowerScribe 360 Reporting v1.1 healthcare 2 Summary This white paper is intended to assist Nuance customers who are evaluating the security aspects of PowerScribe
More information