Performing HIPAA Security Reviews
|
|
- Drusilla Reed
- 5 years ago
- Views:
Transcription
1 Performing HIPAA Security Reviews H PAA Mike Cullen, Baker Tilly Session objectives > Define HIPAA and provide security overview > Understand that HIPAA applies beyond healthcare entities and discuss key areas of HIPAA compliance that institutions should review > Highlight the latest developments with HIPAA rulemaking and the OCR s planned audits of covered entities (CE) and business associates (BA) > Review an approach to addressing this area and help your institution to cover its compliance risks in a practical manner 1
2 Define HIPAA and provide security overview Objective #1 Regulatory response over time 1934 SEC Act 1996 HIPAA 1999 GLBA 2006 PCI DSS v HITECH 2014 Kentucky 47 th State Data Breach Law 1974 Privacy Act & FERPA 1998 Safe Harbor European Union 2001 Cybersecurity Enhancement Act 2003 California Data Breach Law 2010 Massachusetts Privacy Law 2015 PCI DSS v3 2
3 Brief history of HIPAA HIPAA (1996) Title I Title II Title III Title IV Title V American Recovery and Reinvestment Act (2009) HITECH Preventing Healthcare Fraud and Abuse Medical Liability Reform Admin. Simplification Electronic Data Interchange Transactions Identifiers Code Sets Security (2003) Privacy (2000) Genetic Information Nondiscrimination Act (2008) Improved Privacy and Security Provisions Enforcement Breach Notification Final Rule Proposed Accounting of Disclosures Patient Protection and Affordable Care Act HIPAA Final Omnibus Rules Published January 25th, 2013 (Effective March 26th, 2013, compliance required by September 23rd, 2013) Ponemon Institute Medical Identity Theft Study (2015) 3
4 Ponemon Institute Medical Identity Theft Study (2015) Ponemon Institute Medical Identity Theft Study (2015) 4
5 HIPAA related reported breaches (Jan 2012 Mar 2015) Impacts of data breaches Deceptive or unfair trade charges Regulator scrutiny Damage to brand! Regulatory sanctions Negative publicity Damaged employee relationships Legal liability Refusal to share personal information Damaged customer relationships Fines 5
6 HIPAA Rules > Privacy Rule* > Security Rule > Breach Notification Rule > Enforcement Rule* 6
7 Security Rule > Administrative Safeguards > Physical Safeguards > Technical Safeguards Administrative Safeguards > Security management > Security responsibility > Workforce security > Information access management > Security awareness and training > Security incident procedures > Contingency plans > Evaluation > BA contracts 7
8 Physical Safeguards > Facility access controls > Workstation use > Workstation security > Device and media controls Technical Safeguards > Access control > Audit controls > Integrity > Person or entity authentication > Transmission security 8
9 Breach Notification Rule > Notification to individuals > Notification to the media > Notification to the Secretary > Notification by a business associate Breach Notification Rule Details > Defines breach (45 CFR ) as the acquisition, access, use, or disclosure of PHI in a manner not permitted by the HIPAA Privacy Rule which compromises the security or privacy of the PHI > An unauthorized acquisition, access, use, or disclosure of PHI (with enumerated exceptions) is presumed to be a breach unless the covered or business associate, as applicable, demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment. 9
10 Breach Notification Rule Details > This risk assessment must address at least the following factors: > The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re identification; > The unauthorized person(s) who used the PHI or to whom the disclosure was made; > Whether the PHI was actually acquired or viewed; and > The extent to which the risk to the PHI has been mitigated. Breach Notification Rule Exceptions > Any unintentional acquisition, access, or use of PHI by a workforce member or person acting under the authority of a covered entity or business associate, if made in good faith and within the scope of authority, and if it does not result in further impermissible use or disclosure > Any inadvertent disclosure of PHI by a person authorized to access PHI at a covered entity or business associate to another person authorized to access PHI at the same covered entity or business associate, or organized health care arrangement in which the covered entity participates, and the information is not further impermissibly used or disclosed 10
11 Breach Notification Rule Exceptions > A disclosure of PHI where a covered entity or business associate has a good faith belief that the unauthorized person to whom the impermissible disclosure was made would not reasonably have been able to retain the information. 11
12 12
13 Understand that HIPAA applies beyond healthcare entities and discuss key areas of HIPAA compliance that institutions should review Objective #2 Who must comply? > Covered Entities (CE) Health plans, health care clearinghouses and health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards > Business Associate (BA) A subcontractor that creates, receives, maintains, or transmits protected health information on behalf of a covered entity or business associate 13
14 Who must comply? > Hybrid Entity A single legal entity that is a covered entity; whose business activities include both covered and non covered functions; and that designates health care components in accordance with HIPAA requirements > Hybrid Entities must: > Designate the health care component > Health care component complies with all requirements > Create separations from the non covered functions > Ensure only limited allowed disclosures between health care component and noncovered functions, including workforce members with duties on both sides Hybrid entities in Higher Education Advantages > Limit scope of HIPAA compliance > Target training and procedures to only health care component > Include services as the health care component to share PHI without BAAs Disadvantages > Effort to identify and define health care component > Create additional separations from the non covered functions > Limited disclosures outside of health care component still must be tracked > Customer/partner road blocks when dealing with non covered functions > Challenges with common physical space and computer systems 14
15 Hybrid entities and research (from NIH) > Research components of a hybrid entity that function as health care providers and conduct certain standard electronic transactions must be included in the health care components and be subject to the Privacy Rule > Research components that function as health care providers, but do not conduct these electronic transactions may, but are not required to, be included in the health care components. > The hybrid entity is not permitted to include in its health care component, a research component that does not function as a health care provider or does not conduct business associate like functions. As such authorizations are generally required for use or disclosure of PHI for research purposes. CEs Covered entities should: > Understand BA compliance, up- and downstream > Build collaboration and understanding with the BAs beyond the agreement > Complete a HIPAA Security Risk Assessment BAs Business associates should : > Understand CE expectations, as documented in the Business Associate Agreement (BAA) > Ensure HIPAA compliance for downstream Bas > Complete a HIPAA Security Risk Assessment 15
16 Highlight the latest developments with HIPAA rulemaking and the OCR s planned audits of covered entities (CE) and business associates (BA) Objective #3 Latest Developments > BA increased compliance requirements > Omnibus rule > Enforcement > OCR audits 16
17 BA increased compliance requirements > All provisions of the Security Rule are now applicable > BAs can be directly liable for HIPAA noncompliance > BAs are required to have appropriate agreements in place with subcontractors who access ephi > Breach risk analysis is more comprehensive than the previous harm threshold > Requirement to provide a copy of ephi to a covered entity or individual upon request > Requirement to maintain an accounting of disclosures Omnibus Ruling 2013: What s changed? > Broader definition of business associate > New limits on how information can be used for marketing and fundraising purposes > Tiered civil penalty structure > Breach is redefined > When PHI is disclosed or used impermissibly, it will be considered a breach unless the CE or BA can show that there was a low probability that the PHI was compromised > How to prove this? Conduct a breach risk assessment > Four factor risk assessment replaces harm threshold for identifying a breach 17
18 Omnibus Ruling 2013: What s changed? > Subcontractors to CEs are defined as BAs, as such they require Business Associate Agreements (BAA) > Defined PHI as individually identifiable health information that is: > Transmitted or maintained in electronic media > Transmitted or maintained in any other form or medium > PHI excludes individually identifiable health information in the following: > FERPA educational records > FERPA records made or maintained by a physician, psychiatrist, psychologist, or other recognized professional > Employment records held by a CE > A person deceased for more than 50 years PHI Elements > Names > Geographic subdivisions smaller than a state> Certificate/license numbers > All elements of dates (except year) > Vehicle identifiers > Telephone numbers > Device identifiers > Fax numbers > Web URLs > addresses > IP Address numbers > SSN > Biometric identifiers > Medical record numbers > Full face photographs > Health plan beneficiary numbers > Any other unique identifying number, > Account numbers characteristic, code > Individually identifying genetic information 18
19 Increased civil money penalties Violation Category Each Violation Max Violation of Identical Provision in Calendar Year (a) Did not know $100 $50,000 $1,500,000 (b) Reasonable cause $1,000 $50,000 $1,500,000 (c)(i) Willful neglect corrected $10,000 $50,000 $1,500,000 (c)(ii) Willful neglect not corrected $50,000 $1,500,000 Enforcement: Idaho State University Findings > ephi of approx. 17,500 patients was unsecured for at least 10 months after firewall was disabled > ISU risk assessments of clinics were incomplete and inadequately identified potential risk and vulnerabilities Results > $400,000 penalty > Corrective Action Plan 19
20 Enforcement: Columbia and NY Presbyterian Findings > Columbia failed to conduct an accurate, and thorough risk analysis that incorporates all IT equipment, applications and data systems utilizing ephi, including the server accessing NYP ephi. > Columbia failed to implement processes for assessing and monitoring IT equipment, applications and data systems that were linked to NYP patient databases prior to the breach incident and failed to implement security measures sufficient to reduce the risks of inappropriate disclosure to an acceptable level. Results > $1,500,000 penalty for Columbia > 3 year Corrective Action Plan Enforcement: Oregon Health & Science University Findings > Two data breaches in 2013 that involved more than 7,000 patients; occurred within three months of each other > Surgeon's laptop was stolen from a Hawaii vacation rental, which had information on 4,022 patients; not encrypted > Newly minted physicians in residency programs for both plastic surgery and urology, and kidney transplants; used an internet based cloud service to maintain a spreadsheet of 3,044 patients Results > $2,700,000 penalty > 3 year Corrective Action Plan 20
21 Enforcement: University of Mississippi Medical Center Findings > Stolen laptop; investigation revealed an unsecured network drive accessible by generic username and password to wireless network users; drive contained the ephi of an estimated 10,000 individuals > Resolution agreement said failure to implement safeguards against known risks and vulnerabilities in the systems storing ephi > Corrective action plan is requirement to draft an enterprise wide risk analysis and risk management plan for ephi Results > $2,750,000 penalty > 3 year Corrective Action Plan Enforcement: Catholic Health Care Services of the Archdiocese of Philadelphia Findings > Theft of an iphone compromised the health information of more than 400 nursing home residents > Resolution agreement marked the first time that OCR entered into a settlement with a business associate directly > OCR highlighted that CHSH had not completed a risk analysis or risk management plan; no policy mobile devices containing PHI; no security incident response plan Results > $650,000 penalty > Corrective Action Plan 21
22 OCR Audits Phase I > Only 13 of the 115 organizations audited had no findings > 58 of 59 healthcare providers had at least one finding or observation in the area of security > Most common cause of findings was the CE was unaware of the requirement OCR Audits Phase II What to Know > Timing is now; 2016! > Exact number of entities to be audited not determined yet > Security risk assessments and breach notification will be key areas of focus > Vet the audit protocol (on HHS OCR s website) > Inventory all current business associates > Document! Most audits will probably be executed via desk audits or review of documentation alone > If you are selected, don t ignore the federal government 22
23 Review an approach to addressing this area and help your institution to cover its compliance risks in a practical manner Objective #4 Three Recommended HIPAA Security Project Types > HIPAA Security Risk Analysis (Assessment) > HIPAA Incident/Breach Response Review > Other HIPAA assurance activities 23
24 HIPAA Security Risk Analysis (Assessment) First project Purpose of HIPAA security risk analysis > Trace the flow of PHI inside and outside the organization > Focus on four critical areas: processes, people, technology and governance > Help organizations understand the level of risk, determine how to manage risk and help them manage their main areas of risk > Meet requirements of HIPAA security and breach notification rules 24
25 Key phases to complete a HIPAA security risk analysis PLAN PROJECT DETERMINE RISKS ANALYZE GAPS PRESENT RESULTS > Define in scope systems > Review policies and procedures > Review past and present projects > Build understanding of the PHI environment > Conduct interviews with key stakeholders > Identify risks and vulnerabilities of PHI the organization creates, receives, maintains or transmits > Evaluate risks and vulnerabilities in administrative, technical and physical safeguards > Assess security measures > Determine the risks impact and likelihood > Document findings related to threats and vulnerabilities > Document corrective action plans > Review results with key stakeholders Plan Project How do you demonstrate compliance to the OCR? > Document and retain the risk assessment, as well as policies, plans, procedures > Consider using the OCR tools and templates Key questions to ask: > What are the boundaries of your HIPAA/ePHI environment (critical step)? > Have you identified the ephi within your organization? > What are the external sources of ephi? > What are the human, natural and environmental threats to information systems that contain ephi? 1 25
26 Determine Risk > Identify all assets, processes, and systems that process PHI and ephi > Focus on the confidentiality, integrity, and availability of ephi created, received, maintained or transmitted > Determine the associated risk related to potential vulnerabilities, threats, and critical impacts > Determine controls in place to address the threats/vulnerabilities and likelihood of risk occurring 2 Analyze Gaps > Administrative safeguards security management process, security awareness & training, incident management, and contingency planning > Physical safeguards facility access controls, workstation security, laptop and mobile device controls, and media disposal > Technical safeguards network, application, operating system, and databases 3 26
27 Analyze Gaps > Additional areas of focus: > Access controls, audit controls, integrity controls, authentication techniques and encryption for data in transit and data at rest > State of Safe Harbor controls to determine if client meets the criteria to be exempt from breach notification requirements > Organizational requirements business associate contracts with outsourced service providers > Policies, procedures, and documentation requirements 3 Example Risk Analysis Matrix Asset Asset Description Threats Vulnerabilities Likelihood (Inherent Risk) Desktops Desktops are used for accessing the company s environment. Sensitive data generally should generally not be stored locally on the machines, however, it is possible and does occur. All equipment is owned by the Company. Adversarial internal or external: Someone could steal a desktop which has sensitive data and gain access. Non-adversarial internal or external: A desktop could be repurposed and someone could access stored sensitive data. A desktop could be lost. Desktops could be stolen or their hard drives removed. Desktops could not be adequately erased when no longer needed. Desktops may have spy-ware, viruses, or malware installed which allows for unauthorized access or data loss. 5 Very High Impact (Inherent Risk) 5 Very High Impact Description Unauthorized access to or disclosure of sensitive data. Combined Risk 5 Very High Control Activities or Gaps IT control environment (organization, training, policies, etc) 4.1.a - A security incident monitoring tool is in place that notifies management of unusual or suspicious activity. GAP: 8.10.b - Encryption is installed on all desktops. 3 Current Risk 3 Medium Future Risk 1 Very Low 27
28 Example Risk Analysis Matrix Items > Asset (or Asset class) a high level description of the IT asset. 3 > Examples might include windows servers, smartphones/tablets, ABC applications, Oracle databases, etc. > As part of the methodology, teams should identify and group wherever possible IT assets that share similar risk elements. > Asset Description a more detailed description of the asset that includes descriptions of the types of data the asset holds and the functions it performs. > Threats The threats to how the information on the asset could be compromised. Example Risk Analysis Matrix Items > Vulnerabilities The inherent vulnerabilities with the asset that need to be mitigated. > Likelihood (Inherent Risk) based on the asset description (which will include inherent information about the sensitivity of the data), the threats, and the vulnerabilities > Impact (Inherent Risk) based on the asset description, this is the impact if a cyber event occurred. > Impact Description a description of the impact. Typically this would be Permanent loss or corruption of key data, Temporary loss or corruption of key data, and/or Unauthorized access to view key data. 3 28
29 Example Risk Analysis Matrix Items > Combined Risk the combined inherent risk based on one of the risk scoring models. > Control Activities or Gaps the control activities that are either in place or that should be in place (identified as gaps). It may be helpful to create a master table of control activities and gaps to cross reference. > Align to Security Rule administrative, physical, and technical safeguards > Current Risk current risk based on how well the control activities in place mitigate the threats and vulnerabilities. > Future Risk risk if all identified gaps/controls are put in place. 3 Administrative Safeguards Standard Implementation Specifications [(R)=Required, (A)=Addressable] 3 Security Management Process Assigned Security Responsibility Workforce Security Information Access Management Risk Analysis (R) Risk Management (R) Sanction Policy (R) Information System Activity Review (R) Assigned Security Responsibility (R) Authorization and/or Supervision (A) Workforce Clearance Procedure Termination Procedures (A) Isolating Health care Clearinghouse Function (R) Access Authorization (A) Access Establishment and Modification (A) 29
30 Administrative Safeguards Standard Implementation Specifications [(R)=Required, (A)=Addressable] 3 Security Awareness and Training Security Incident Procedures Contingency Plan Evaluation Business Associate Contracts and Other Arrangement Security Reminders (A) Protection from Malicious Software (A) Log in Monitoring (A) Password Management (A) Response and Reporting (R) Data Backup Plan (R) Disaster Recovery Plan (R) Emergency Mode Operation Plan (R) Testing and Revision Procedure (A) Applications and Data Criticality Analysis (A) Evaluation (R) Written Contract or Other Arrangement (R) Physical Safeguards Standard Implementation Specifications [(R)=Required, (A)=Addressable] 3 Facility Access Controls Workstation Use Workstation Security Device and Media Controls Contingency Operations (A) Facility Security Plan (A) Access Control and Validation Procedures (A) Maintenance Records (A) Workstation Use (R) Workstation Security (R) Disposal (R) Media Re use (R) Accountability (A) Data Backup and Storage (A) 30
31 Technical Safeguards Standard Implementation Specifications [(R)=Required, (A)=Addressable] 3 Access Control Audit Controls Integrity Person or Entity Authentication Transmission Security Unique User Identification (R) Emergency Access Procedure (R) Automatic Logoff (A) Encryption and Decryption (A) Audit Controls (R) Mechanism to Authenticate Electronic Protected Health Information (A) Person or Entity Authentication (R) Integrity Controls (A) Encryption (A) Present Results > Document risk analysis findings related to threats and vulnerabilities > Review results with key stakeholders > Develop and document a risk management plan to address each gap, with residual risk being identified 4 31
32 Lessons Learned/Common Mistakes > Incomplete ephi inventory and inadequate scoping of the assessment > Lack of strong, executive sponsorship to complete the assessment > Poor understanding of the HIPAA Security Implementation Specifications > Inability to effectively prioritize remediation activities > Assessor lacks adequate knowledge and independence HIPAA Incident/Breach Response Review Second project 32
33 Incident/breach Response Plan What is an incident/breach response plan? > Capability to effectively manage unexpected disruptive events with the objective of minimizing impacts and maintaining or restoring normal operations within defined time limits ISACA Why does your institution need an incident/breach response plan? > It is not a matter of if you will have an incident/breach, it is a matter of when > Decentralized organizations with numerous stakeholders increase the likelihood of ad hoc responses > Inappropriate or inadequate response can lead to reputational and financial damage What Is a HIPAA Breach Requiring Notification? > Minimum Necessary Violations May Require Breach Notification > Nature and Extent of PHI Involved > Unauthorized Person Who Used PHI > Whether PHI Was Actually Acquired or Viewed > Extent to Which Risk to PHI is Mitigated > Exceptions 33
34 What about State Breach Laws? > Many states include PHI as data elements covered by law > Potential conflicts between HIPAA and state law > HIPAA preempts state law > 47 states, DC, Guam, Puerto Rico, and the US Virgin Islands have data breach laws > Exception Alabama, New Mexico, South Dakota Incident/Breach Response Key Components > Policy establishes goals and vision for the breach response process, defined scope (to whom it applies and under what circumstances), roles and responsibilities, standards, metrics, feedback, remediation and requirements for awareness training > Plan covers all phases of the response activities > Procedures derives from the Plan and codifies specific tasks, actions and activities that are part of the breach response effort. 34
35 Why should an incident/breach response be audited? > Ensures that the plan contains accurate, current information > Allows the response process to be assessed and fine tuned > Identifies potential issues in advance; before the breach occurs > Should a breach subsequently occur, it allows the process to operate more efficiently What should the incident/breach response plan contain? > Individuals/team that will lead the breach response process and make the final determination that an actual breach has occurred > Emergency contacts > Information on relevant regulatory and law enforcement agencies that must be contacted > Steps required to assess scope of breach and preparation of response (including containment, eradication and recovery) > Post mortem assessment, remediation, ongoing training 35
36 What should the incident/breach response plan contain? > There should be a well known mechanism for all employees to report a suspected breach of sensitive information > There should be recurring training for all staff, that includes: > What constitutes a breach > HIPAA has 19 types of PHI > What does NOT constitute a breach > Accidental disclosure > Plan should be tested/rehearsed (table top testing) not less than once per year Incident/Breach Response OCR Questions > What approach did you use to conduct the HIPAA Security Risk assessment? > Has an ephi data inventory been created and data flows tracked? > What are your vendor risk management practices? > What are the human, natural, and environmental threats to information systems that contain ephi? > How is ephi on remote devices protected? Is encryption utilized? > Describe your breach/incident management procedures? How are these coordinated with any third party vendors? 36
37 Other HIPAA assurance activities Third project Additional Attestation and Certification Projects 37
38 Questions? Contact Info > Mike Cullen, CISA, CISSP, CIPP/US > Senior Manager, Baker Tilly > >
39 Required disclosure and Circular 230 Prominent Disclosure > The information provided here is of a general nature and is not intended to address the specific circumstances of any individual or entity. In specific circumstances, the services of a professional should be sought. > Pursuant to the rules of professional conduct set forth in Circular 230, as promulgated by the United States Department of the Treasury, nothing contained in this communication was intended or written to be used by any taxpayer for the purpose of avoiding penalties that may be imposed on the taxpayer by the Internal Revenue Service, and it cannot be used by any taxpayer for such purpose. No one, without our express prior written permission, may use or refer to any tax advice in this communication in promoting, marketing, or recommending a partnership or other entity, investment plan or arrangement to any other party. > Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. 39
HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp
HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp Agenda Introductions HIPAA Background and History Overview of HIPAA Requirements
More informationPolicy and Procedure: SDM Guidance for HIPAA Business Associates
Policy and Procedure: SDM Guidance for HIPAA Business (Adapted from UPMC s Guidance for Business at http://www.upmc.com/aboutupmc/supplychainmanagement/documents/guidanceforbusinessassociates.pdf) Effective:
More informationHIPAA Security and Privacy Policies & Procedures
Component of HIPAA Security Policy and Procedures Templates (Updated for HITECH) Total Cost: $495 Our HIPAA Security policy and procedures template suite have 71 policies and will save you at least 400
More informationHIPAA Privacy, Security and Breach Notification
HIPAA Privacy, Security and Breach Notification HCCA East Central Regional Annual Conference October 2013 Disclaimer The information contained in this document is provided by KPMG LLP for general guidance
More informationHIPAA Federal Security Rule H I P A A
H I P A A HIPAA Federal Security Rule nsurance ortability ccountability ct of 1996 HIPAA Introduction - What is HIPAA? HIPAA = The Health Insurance Portability and Accountability Act A Federal Law Created
More informationHIPAA-HITECH: Privacy & Security Updates for 2015
South Atlantic Regional Annual Conference Orlando, FL February 6, 2015 1 HIPAA-HITECH: Privacy & Security Updates for 2015 Darrell W. Contreras, Esq., LHRM Gregory V. Kerr, CHPC, CHC Agenda 2 OCR On-Site
More informationIT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I
Standards Sections Checklist Section Security Management Process 164.308(a)(1) Information Security Program Risk Analysis (R) Assigned Security Responsibility 164.308(a)(2) Information Security Program
More informationSecurity Rule for IT Staffs. J. T. Ash University of Hawaii System HIPAA Compliance Officer
Security Rule for IT Staffs J. T. Ash University of Hawaii System HIPAA Compliance Officer jtash@hawaii.edu hipaa@hawaii.edu Disclaimer HIPAA is a TEAM SPORT and everyone has a role in protecting protected
More informationThe HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance
The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance Russell L. Jones Partner Health Sciences Sector Deloitte & Touche LLP Security & Privacy IMLA 2013 Annual Conference San
More informationThe Relationship Between HIPAA Compliance and Business Associates
The Relationship Between HIPAA Compliance and Business Associates 1 HHS Wall of Shame 20% Involved Business Associates Based on HHS Breach Portal: Breaches Affecting 500 or More Individuals, Type of Breach
More informationThe HIPAA Omnibus Rule
The HIPAA Omnibus Rule What You Should Know and Do as Enforcement Begins Rebecca Fayed, Associate General Counsel and Privacy Officer Eric Banks, Information Security Officer 3 Biographies Rebecca C. Fayed
More informationPutting It All Together:
Putting It All Together: The Interplay of Privacy & Security Regina Verde, MS, MBA, CHC Chief Corporate Compliance & Privacy Officer University of Virginia Health System 2017 ISPRO Conference October 24,
More informationDATA PRIVACY & SECURITY THE CHANGING HIPAA CLIMATE
DATA PRIVACY & SECURITY THE CHANGING HIPAA CLIMATE Melodi (Mel) M. Gates mgates@pattonboggs.com (303) 894-6111 October 25, 2013 THE CHANGING PRIVACY CLIMATE z HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY
More informationUpdate on HIPAA Administration and Enforcement. Marissa Gordon-Nguyen, JD, MPH October 7, 2016
Update on HIPAA Administration and Enforcement Marissa Gordon-Nguyen, JD, MPH October 7, 2016 Updates Policy Development Breaches Enforcement Audit 2 POLICY DEVELOPMENT RECENTLY PUBLISHED: RIGHT OF ACCESS,
More informationHIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017
HIPAA How to Comply with Limited Time & Resources Jonathan Pantenburg, MHA, Senior Consultant JPantenburg@Stroudwater.com August 17, 2017 Stroudwater Associates is a leading national healthcare consulting
More informationAgenda. Hungry, Hungry HIPAA: Security, Enforcement, Audits, & More. Health Law Institute
Health Law Institute Hungry, Hungry HIPAA: Security, Enforcement, Audits, & More Brooke Bennett Aziere October 18, 2017 Agenda Enforcement Trends Phase 2 HIPAA Audits Upcoming Initiatives 1 Enforcement
More informationBoerner Consulting, LLC Reinhart Boerner Van Deuren s.c.
Catherine M. Boerner, Boerner Consulting LLC Heather Fields, 1 Discuss any aggregate results of the desk audits Explore the Sample(s) Requested and Inquire of Management requests for the full on-site audits
More informationHIPAA Security & Privacy
HIPAA Security & Privacy New Omnibus Regulations Prepared by Keith Weiner for New York State HIMSS Omnibus Rule Released on January 25, 2013, the final 563 page Omnibus Rule is the largest sweeping change
More informationSecurity and Privacy Breach Notification
Security and Privacy Breach Notification Version Approval Date Owner 1.1 May 17, 2017 Privacy Officer 1. Purpose To ensure that the HealthShare Exchange of Southeastern Pennsylvania, Inc. (HSX) maintains
More informationHIPAA & Privacy Compliance Update
HIPAA & Privacy Compliance Update Vermont Medical Society FREE Wednesday Webinar Series March 15, 2017 Anne Cramer and Shireen Hart Primmer Piper Eggleston & Cramer PC acramer@primmer.com shart@primmer.com
More informationProtect Your Institution with Effective Cybersecurity Governance. Baker Tilly Virchow Krause, LLP
Protect Your Institution with Effective Cybersecurity Governance 1 Your presenter Mike Cullen, Senior Manager, Baker Tilly CISA, CISSP, CIPP/US > Leads the firm s Higher Education Technology Risk Services
More informationHealthcare Privacy and Security:
Healthcare Privacy and Security: Breach prevention and mitigation/ Insuring for breach Colin J. Zick Foley Hoag LLP (617) 832-1000 www.foleyhoag.com www.securityprivacyandthelaw.com Boston Bar Association
More informationBreach Notification Remember State Law
Breach Notification HITECH: First federal law mandating breach notification for health care industry Applies to covered entities, business associates, PHR vendors, and PHR service providers FTC regulates
More informationInto the Breach: Breach Notification Requirements in the Wake of the HIPAA Omnibus Rule
Into the Breach: Breach Notification Requirements in the Wake of the HIPAA Omnibus Rule The Twenty-Second National HIPAA Summit Healthcare Privacy and Security After HITECH and Health Reform Rebecca Williams,
More informationNeil Peters-Michaud, CHAMP Cascade Asset Management ITAM Awareness Month December 2016
Breach New Heights The role of ITAM in preventing a data breach Neil Peters-Michaud, CHAMP Cascade Asset Management ITAM Awareness Month December 2016 Agenda Why Breaches Matter to the ITAM group The cost
More informationUniversity of Wisconsin-Madison Policy and Procedure
Page 1 of 10 I. Policy The Health Information Technology for Economic and Clinical Health Act regulations ( HITECH ) amended the Health Information Portability and Accountability Act ( HIPAA ) to establish
More informationHIPAA Compliance Officer Training By HITECH Compliance Associates. Building a Culture of Compliance
HIPAA Compliance Officer Training By HITECH Compliance Associates Building a Culture of Compliance Your Instructor Is Michael McCoy Nationally Recognized HIPAA Expert » Nothing contained herein should
More informationCore Elements of HIPAA The Privacy Rule establishes individuals privacy rights and addresses the use and disclosure of protected health information ( PHI ) by covered entities and business associates The
More informationEXHIBIT A. - HIPAA Security Assessment Template -
Department/Unit: Date: Person(s) Conducting Assessment: Title: 1. Administrative Safeguards: The HIPAA Security Rule defines administrative safeguards as, administrative actions, and policies and procedures,
More informationLessons Learned from Recent HIPAA Enforcement Actions, Breaches, and Pilot Audits
Lessons Learned from Recent HIPAA Enforcement Actions, Breaches, and Pilot Audits Iliana L. Peters, J.D., LL.M. Senior Advisor for HIPAA Compliance and Enforcement OCR RULEMAKING UPDATE What s s Done?
More informationIncident Response: Are You Ready?
Incident Response: Are You Ready? Chris Apgar, CISSP Apgar & Associates, LLC 2014 Security Incident vs. Breach Overview Security Incident Planning and Your Team Final Breach Notification Rule a refresher
More information(c) Apgar & Associates, LLC
Incident Response: Are You Ready? Chris Apgar, CISSP Apgar & Associates, LLC 2014 Security Incident vs. Breach Overview Security Incident Planning and Your Team Final Breach Notification Rule a refresher
More informationHIPAA ( ) HIPAA 2017 Compliancy Group, LLC
855 85 HIPAA (855-854-4722) www.compliancygroup.com 1 Started in 2005 by HIPAA auditors & Compliance experts Market need for a total end client solution Created The Guard: cloud-based solution Compliance
More informationHIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED
HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED HEALTHCARE ORGANIZATIONS ARE UNDER INTENSE SCRUTINY BY THE US FEDERAL GOVERNMENT TO ENSURE PATIENT DATA IS PROTECTED Within
More informationSecuring IT Infrastructure Improve information exchange and comply with HIPAA, HITECH, and ACA mandates
Securing IT Infrastructure Improve information exchange and comply with HIPAA, HITECH, and ACA mandates Ruby Raley, Director Healthcare Solutions Axway Agenda Topics: Using risk assessments to improve
More informationInside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D.
Inside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D. HIPAA GENERAL RULE PHI may not be disclosed without patient authorization
More informationHIPAA Tips and Advice for Your. Medical Practice
HIPAA Tips and Advice for Your Ericka L. Adler Medical Practice Rachel V. Rose WHY Header HIPAA PATIENT and Medical PORTALS? Practices HIPAA Basics Who is a covered entity? What is PHI? When can you disclose
More informationORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers
All Affiliate Research Policy Subject: HIPAA File Under: For Researchers ORA HIPAA Issuing Department: Office of Research Administration Original Policy Date Page 1 of 5 Approved by: May 9,2005 Revision
More informationDavid C. Marshall, Esq. PACAH 2017 Spring Conference April 27, 2017
David C. Marshall, Esq. PACAH 2017 Spring Conference April 27, 2017 Privacy and security of patient information held by health care providers remains a concern of the federal government. More resources
More informationHow to Respond to a HIPAA Breach. Tuesday, Oct. 25, 2016
How to Respond to a HIPAA Breach Tuesday, Oct. 25, 2016 This Webinar is Brought to You By. About HealthInsight and Mountain-Pacific Quality Health HealthInsight and Mountain-Pacific Quality Health are
More informationDON T GET STUNG BY A BREACH! WHAT'S NEW IN HIPAA PRIVACY AND SECURITY
DON T GET STUNG BY A BREACH! WHAT'S NEW IN HIPAA PRIVACY AND SECURITY Practice Areas: Healthcare Labor and Employment JASON YUNGTUM jyungtum@clinewilliams.com (402) 397 1700 Practice Areas: Healthcare
More informationHIPAA Security. 1 Security 101 for Covered Entities. Security Topics
HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical
More informationHIPAA and HIPAA Compliance with PHI/PII in Research
HIPAA and HIPAA Compliance with PHI/PII in Research HIPAA Compliance Federal Regulations-Enforced by Office of Civil Rights State Regulations-Texas Administrative Codes Institutional Policies-UTHSA HOPs/IRB
More informationHIPAA Security. 3 Security Standards: Physical Safeguards. Security Topics
HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical
More informationHIPAA Privacy, Security Lessons from 2016 and What's Next in 2017
HIPAA Privacy, Security Lessons from 2016 and What's Next in 2017 Session 9, February 20, 2017 Deven McGraw, Deputy Director, Health Information Privacy HHS Office for Civil Rights 1 Speaker Introduction
More informationHIPAA Privacy & Security Training. Privacy and Security of Protected Health Information
HIPAA Privacy & Security Training Privacy and Security of Protected Health Information Course Competencies: This training module addresses the essential elements of maintaining the HIPAA Privacy and Security
More informationCyber Attacks and Data Breaches: A Legal and Business Survival Guide
Cyber Attacks and Data Breaches: A Legal and Business Survival Guide August 21, 2012 Max Bodoin, Vince Farhat, Shannon Salimone Copyright 2012 Holland & Knight LLP. All Rights Reserved What this Program
More informationCERT Symposium: Cyber Security Incident Management for Health Information Exchanges
Pennsylvania ehealth Partnership Authority Pennsylvania s Journey for Health Information Exchange CERT Symposium: Cyber Security Incident Management for Health Information Exchanges June 26, 2013 Pittsburgh,
More informationAll Aboard the HIPAA Omnibus An Auditor s Perspective
All Aboard the HIPAA Omnibus An Auditor s Perspective Rick Dakin CEO & Chief Security Strategist February 20, 2013 1 Agenda Healthcare Security Regulations A Look Back What is the final Omnibus Rule? Changes
More informationDon t Be the Next Headline! PHI and Cyber Security in Outsourced Services.
Don t Be the Next Headline! PHI and Cyber Security in Outsourced Services. June 2017 Melanie Duerr Fazzi Associates Partner, Director of Coding Operations Jami Fisher Fazzi Associates Chief Information
More informationHIPAA Compliance Checklist
HIPAA Compliance Checklist Hospitals, clinics, and any other health care providers that manage private health information today must adhere to strict policies for ensuring that data is secure at all times.
More informationChecklist: Credit Union Information Security and Privacy Policies
Checklist: Credit Union Information Security and Privacy Policies Acceptable Use Access Control and Password Management Background Check Backup and Recovery Bank Secrecy Act/Anti-Money Laundering/OFAC
More informationHIPAA COMPLIANCE AND DATA PROTECTION Page 1
HIPAA COMPLIANCE AND DATA PROTECTION info@resultstechnology.com 877.435.8877 Page 1 CONTENTS Introduction..... 3 The HIPAA Security Rule... 4 The HIPAA Omnibus Rule... 6 HIPAA Compliance and RESULTS Cloud
More informationSupport for the HIPAA Security Rule
white paper Support for the HIPAA Security Rule PowerScribe 360 Reporting v1.1 healthcare 2 Summary This white paper is intended to assist Nuance customers who are evaluating the security aspects of PowerScribe
More informationUniversity of Pittsburgh Security Assessment Questionnaire (v1.7)
Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.7) Directions and Instructions for completing this assessment The answers provided
More informationFederal Breach Notification Decision Tree and Tools
Federal Breach Notification and Tools Disclaimer This document is copyright 2009 by the Long Term Care Consortium (LTCC). These materials may be reproduced and used only by long-term health care providers
More informationThe ABCs of HIPAA Security
The ABCs of HIPAA Security Daniel F. Shay, Esq 24 th Annual Health Law Institute Pennsylvania Bar Institute March 13, 2018 c. 2018 Alice G. Gosfield and Associates PC 1 Daniel F. Shay, Esq. Alice G. Gosfield
More informationDecrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use
Click to edit Master title style Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use Andy Petrovich, MHSA, MPH M-CEITA / Altarum Institute October 1, 2014 10/1/2014 1 1 Who is
More informationHIPAA in 2017: Hot Topics You Can t Ignore. Danika Brinda, PhD, RHIA, CHPS, HCISPP March 16, 2017
HIPAA in 2017: Hot Topics You Can t Ignore Danika Brinda, PhD, RHIA, CHPS, HCISPP March 16, 2017 Breach Notification State Law Privacy Rule Authorizations Polices and Procedures The Truth Is Have created
More informationQUALITY HIPAA December 23, 2013
December 23, 2013 Page 1 of 5 Breach, HIPAA and Protected Health Information This week, we look at the rules governing HIPAA, the HITECH Act and HIPAA Omnibus Rule. Unsecured PHI means Protected Health
More informationHIPAA Privacy and Security. Kate Wakefield, CISSP/MLS/MPA Information Security Analyst
HIPAA Privacy and Security Kate Wakefield, CISSP/MLS/MPA Information Security Analyst Kwakefield@costco.com Presentation Overview HIPAA Legislative history & key dates. Who is affected? Employers too!
More informationEnforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance
Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance Iliana Peters, JD, LLM, HHS Office for Civil Rights Kevin
More informationHIPAA Audit Don t just bet the odds Good luck is a residue of preparation. Jack Youngblood
HIPAA Audit Don t just bet the odds Good luck is a residue of preparation. Jack Youngblood Braun Tacon Process Architect / Auditor Owner: www.majorincidenthandling.com Winning Lotto.1 in 175 Million Attacked
More informationHIPAA FOR BROKERS. revised 10/17
HIPAA FOR BROKERS revised 10/17 COURSE PURPOSE The purpose of this information is to help ensure that all Optima Health Brokers are prepared to protect the privacy and security of our members health information.
More informationHIPAA/HITECH Privacy & Security Checklist Assessment HIPAA PRIVACY RULE
164.502 Develop "minimum necessary" policies for: HIPAA PRIVACY RULE 164.514 - Uses 15 Exempts disclosure for the purpose of treatment from the minimum necessary standard. Page references for - Routine
More informationA Panel Discussion. Nancy Davis
A Panel Discussion 1 Nancy Davis Director of Compliance & Safety, Door County Medical Center Cathy Hansen Director, Health Information Services & Privacy Officer, St. Croix Regional Medical Center Rhonda
More informationA Checklist for Compliance in the Cloud 1. A Checklist for Compliance in the Cloud
A Checklist for Compliance in the Cloud 1 A Checklist for Compliance in the Cloud A Checklist for Compliance in the Cloud 1 With the industrialization of hacking and the enormous impact of security breaches,
More informationElements of a Swift (and Effective) Response to a HIPAA Security Breach
Elements of a Swift (and Effective) Response to a HIPAA Security Breach Susan E. Ziel, RN BSN MPH JD Krieg DeVault LLP Past President, The American Association of Nurse Attorneys Disclaimer The information
More informationCYBERSECURITY. Recent OCR Actions & Cyber Awareness Newsletters. Claire C. Rosston
CYBERSECURITY Recent OCR Actions & Cyber Awareness Newsletters Claire C. Rosston DISCLAIMER This presentation is similar to any other legal education materials designed to provide general information on
More informationHIPAA Security Rule Policy Map
Rule Policy Map Document Information Identifier Status Published Published 02/15/2008 Last Reviewed 02/15/1008 Last Updated 02/15/2008 Version 1.0 Revision History Version Published Author Description
More informationThe Common Controls Framework BY ADOBE
The Controls Framework BY ADOBE The following table contains the baseline security subset of control activities (derived from the Controls Framework by Adobe) that apply to Adobe s enterprise offerings.
More informationAltius IT Policy Collection Compliance and Standards Matrix
Governance Context and Alignment Policy 4.1 4.4 800-26 164.308 12.4 EDM01 IT Governance Policy 5.1 800-30 12.5 EDM02 Leadership Mergers and Acquisitions Policy A.6.1.1 800-33 EDM03 Context Terms and Definitions
More informationHow Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq.
How Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq. Word Count: 2,268 Physician practices have lived with the reality of HIPAA for over twenty years. In that time, it has likely
More information3/24/2014. Agenda & Objectives. HIPAA Security Rule. Compliance Institute. Background and Regulatory Overlay. OCR Statistics/
Compliance Institute Session 501: Implementing a System-Wide Access Monitoring Program Brian D. Annulis Meade, Roach & Annulis, LLP Aegis Compliance & Ethics Center, LLP 4147 N. Ravenswood Avenue Suite
More informationHIPAA Security Checklist
HIPAA Security Checklist The following checklist summarizes the HIPAA Security Rule requirements that should be implemented by both covered entities and business associates. The citations are to 45 CFR
More informationHIPAA Security Checklist
HIPAA Security Checklist The following checklist summarizes the HIPAA Security Rule requirements that should be implemented by both covered entities and business associates. The citations are to 45 CFR
More informationRegulation P & GLBA Training
Regulation P & GLBA Training Overview Regulation P governs the treatment of nonpublic personal information about consumers by the financial institution. (Gramm-Leach-Bliley Act of 1999) The GLBA is composed
More informationWhat s New with HIPAA? Policy and Enforcement Update
What s New with HIPAA? Policy and Enforcement Update HHS Office for Civil Rights New Initiatives Precision Medicine Initiative (PMI), including Access Guidance Cybersecurity Developer portal NICS Final
More informationThe simplified guide to. HIPAA compliance
The simplified guide to HIPAA compliance Introduction HIPAA, the Health Insurance Portability and Accountability Act, sets the legal requirements for protecting sensitive patient data. It s also an act
More informationSummary Analysis: The Final HIPAA Security Rule
1 of 6 5/20/2005 5:00 PM HIPAAdvisory > HIPAAregs > Final Security Rule Summary Analysis: The Final HIPAA Security Rule By Tom Grove, Vice President, Phoenix Health Systems February 2003 On February 13,
More informationHIPAA Privacy, Security and Breach Notification 2017
HIPAA Privacy, Security and Breach Notification 2017 An Eagle Associates Presentation Eagle Associates, Inc. www.eagleassociates.net info@eagleassociates.net P.O. Box 1356 Ann Arbor, MI 48106 800-777-2337
More informationData Backup and Contingency Planning Procedure
HIPAA Security Procedure HIPAA made Easy Data Backup and Contingency Planning Procedure Please fill in date implemented and updates for your facility: Goal: This document will serve as our back-up storage
More informationWHITE PAPER. HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty
WHITE PAPER HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty WHITE PAPER HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty By Jill Brooks, MD, CHCO and Katelyn Byrne, BSN, RN Data Breaches
More informationUpdate on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules
Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules Marissa Gordon-Nguyen Office for Civil Rights (OCR) U.S. Department of Health and Human Services June
More informationOverview of Key E.U. and U.S. Privacy and Cybersecurity Laws. Brett Lockwood Smith, Gambrell & Russell, LLP May 15, 2018
Overview of Key E.U. and U.S. Privacy and Cybersecurity Laws Brett Lockwood Smith, Gambrell & Russell, LLP May 15, 2018 Agenda Principal Obligations Under GDPR Key U.S. Privacy & Cybersecurity Laws E.U.
More informationPrivacy Breach Policy
1. PURPOSE 1.1 The purpose of this policy is to guide NB-IRDT employees and approved users on how to proceed in the event of a privacy breach, and to demonstrate to stakeholders that a systematic procedure
More informationHIPAA Security Manual
2010 HIPAA Security Manual Revised with HITECH ACT Amendments Authored by J. Kevin West, Esq. 2010 HALL, FARLEY, OBERRECHT & BLANTON, P.A. DISCLAIMER This Manual is designed to set forth general policies
More informationAltius IT Policy Collection Compliance and Standards Matrix
Governance Context and Alignment Policy 4.1 4.4 800-26 164.308 12.4 EDM01 IT Governance Policy 5.1 800-30 12.5 EDM02 Leadership Mergers and Acquisitions Policy A.6.1.1 800-33 EDM03 Context Terms and Definitions
More informationNew York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines
New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines New York Department of Financial Services ( DFS ) Regulation 23 NYCRR 500 requires that entities
More informationHIPAA Security Rule: Annual Checkup. Matt Sorensen
HIPAA Security Rule: Annual Checkup Matt Sorensen Disclaimer This presentation is similar to any other legal education materials designed to provide general information on pertinent legal topics. The statements
More informationDecrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use
Click to edit Master title style Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use Andy Petrovich, MHSA, MPH M-CEITA / Altarum Institute June 21, 2016 6/21/2016 1 1 Disclaimer
More informationCyber Risk Emerging Trends and Regulatory Update
Cyber Risk Emerging Trends and Regulatory Update June 12, 2013 1 Webinar Moderator Phil Hurd ACUA President 2 Your Presenters Mike Cullen, Senior Manager CISA, CISSP, CIPP/US > Leads the firm s Technology
More informationCYBERSECURITY IN THE POST ACUTE ARENA AGENDA
CYBERSECURITY IN THE POST ACUTE ARENA AGENDA 2 Introductions 3 Assessing Your Organization 4 Prioritizing Your Review 5 206 Benchmarks and Breaches 6 Compliance 0 & Cybersecurity 0 7 Common Threats & Vulnerabilities
More informationAudits Accounting of disclosures
Once more unto the breach Mastering HIPAA s data breach notification requirements September 20, 2011 Presented by: Kathy Kenady Senior Loss Prevention Representative Medical Insurance Exchange of California
More informationHospital Council of Western Pennsylvania. June 21, 2012
Updates on OCR s HIPAA Enforcement and Regulations Hospital Council of Western Pennsylvania June 21, 2012 Topics HIPAA Privacy and Security Rule Enforcement HITECH Breach Notification OCR Audit Program
More informationCybersecurity in Higher Ed
Cybersecurity in Higher Ed 1 Overview Universities are a treasure trove of information. With cyber threats constantly changing, there is a need to be vigilant in protecting information related to students,
More informationComputer Security Incident Response Plan. Date of Approval: 23-FEB-2014
Computer Security Incident Response Plan Name of Approver: Mary Ann Blair Date of Approval: 23-FEB-2014 Date of Review: 31-MAY-2016 Effective Date: 23-FEB-2014 Name of Reviewer: John Lerchey Table of Contents
More informationHIPAA COMPLIANCE FOR VOYANCE
HIPAA COMPLIANCE FOR VOYANCE How healthcare organizations can deploy Nyansa s Voyance analytics platform within a HIPAA-compliant network environment in order to support their mission of delivering best-in-class
More informationSummary Comparison of Current Data Security and Breach Notification Bills
Topic S. 117 (Nelson) S. (Carper/Blunt) H.R. (Blackburn/Welch) Comments Data Security Standards The FTC shall promulgate regulations requiring information security practices that are appropriate to the
More informationHIPAA Cloud Computing Guidance
HIPAA Cloud Computing Guidance Adam Greene, JD, MPH Partner Rebecca Williams, BSN, JD Partner Nature is a mutable cloud which is always and never the same Ralph Waldo Emerson 2 Agenda A few historical
More information