Security Rule for IT Staffs. J. T. Ash University of Hawaii System HIPAA Compliance Officer

Similar documents
Policy and Procedure: SDM Guidance for HIPAA Business Associates

HIPAA Security and Privacy Policies & Procedures

HIPAA Federal Security Rule H I P A A

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

EXHIBIT A. - HIPAA Security Assessment Template -

HIPAA Privacy and Security. Kate Wakefield, CISSP/MLS/MPA Information Security Analyst

Healthcare Privacy and Security:

Boerner Consulting, LLC Reinhart Boerner Van Deuren s.c.

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

HIPAA Security Checklist

HIPAA Security. 3 Security Standards: Physical Safeguards. Security Topics

HIPAA Security Checklist

Privacy & Information Security Protocol: Breach Notification & Mitigation

Summary Analysis: The Final HIPAA Security Rule

Support for the HIPAA Security Rule

A Security Risk Analysis is More Than Meaningful Use

HIPAA FINAL SECURITY RULE 2004 WIGGIN AND DANA LLP

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

Data Backup and Contingency Planning Procedure

HIPAA COMPLIANCE FOR VOYANCE

HIPAA Privacy, Security and Breach Notification 2018

HIPAA/HITECH Privacy & Security Checklist Assessment HIPAA PRIVACY RULE

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

HIPAA Privacy, Security and Breach Notification 2017

HIPAA Security Manual

HIPAA Compliance Officer Training By HITECH Compliance Associates. Building a Culture of Compliance

University of Wisconsin-Madison Policy and Procedure

HIPAA FOR BROKERS. revised 10/17

Update on HIPAA Administration and Enforcement. Marissa Gordon-Nguyen, JD, MPH October 7, 2016

HIPAA-HITECH: Privacy & Security Updates for 2015

How to Respond to a HIPAA Breach. Tuesday, Oct. 25, 2016

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

The simplified guide to. HIPAA compliance

Integrating HIPAA into Your Managed Care Compliance Program

HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED

These rules are subject to change periodically, so it s good to check back once in a while to make sure you re still compliant.

Putting It All Together:

Unit HIPAA Coordinators Briefing. J. T. Ash University of Hawaii System HIPAA Compliance Officer

The HIPAA Omnibus Rule

HIPAA Compliance and OBS Online Backup

Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in the HIPAA Privacy Rule.

Security and Privacy Breach Notification

NMHC HIPAA Security Training Version

Meeting the Meaningful Use Security and Privacy Measure

HIPAA Privacy, Security and Breach Notification

How Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq.

QUALITY HIPAA December 23, 2013

CYBERSECURITY. Recent OCR Actions & Cyber Awareness Newsletters. Claire C. Rosston

3/24/2014. Agenda & Objectives. HIPAA Security Rule. Compliance Institute. Background and Regulatory Overlay. OCR Statistics/

HIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017

HIPAA Compliance Checklist

HIPAA Enforcement Training for State Attorneys General

HIPAA For Assisted Living WALA iii

efolder White Paper: HIPAA Compliance

HIPAA Security Rule Policy Map

Breach Notification Remember State Law

Implementing an Audit Program for HIPAA Compliance

Guide: HIPAA. GoToMeeting and HIPAA Compliance. Privacy, productivity and remote support. gotomeeting.com

DATA PRIVACY & SECURITY THE CHANGING HIPAA CLIMATE

Inside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D.

Guide: HIPPA Compliance. Corporate HIPAA Compliance Guide. Privacy, productivity and remote access. gotomypc.com

Living with HIPAA: Compendium of Next steps from Rural Hospitals to Large Health Systems to Physician Practices

Agenda. Hungry, Hungry HIPAA: Security, Enforcement, Audits, & More. Health Law Institute

WHITE PAPER. HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty

HIPAA COMPLIANCE AND

Federal Breach Notification Decision Tree and Tools

The ABCs of HIPAA Security

HIPAA Tips and Advice for Your. Medical Practice

COUNTERING CYBER CHAOS WITH HIPAA COMPLIANCE. Presented by Paul R. Hales, J.D. May 8, 2017

HIPAA Controls. Powered by Auditor Mapping.

Incident Response: Are You Ready?

(c) Apgar & Associates, LLC

HIPAA in 2017: Hot Topics You Can t Ignore. Danika Brinda, PhD, RHIA, CHPS, HCISPP March 16, 2017

A Panel Discussion. Nancy Davis

SECURITY & PRIVACY DOCUMENTATION

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

Into the Breach: Breach Notification Requirements in the Wake of the HIPAA Omnibus Rule

Vendor Security Questionnaire

Start the Security Walkthrough

Elements of a Swift (and Effective) Response to a HIPAA Security Breach

CERT Symposium: Cyber Security Incident Management for Health Information Exchanges

HIPAA Security Rule Overview

Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules

HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information

HIPAA & Privacy Compliance Update

HIPAA Cloud Computing Guidance

Meaningful Use & Security Protecting Electronic Health Information in Accordance with the HIPAA Security Rule

Seven gray areas of HIPAA you can t ignore

HIPAA RISK ADVISOR SAMPLE REPORT

Privacy Breach Policy

Technology Workshop HIPAA Security Risk Assessment: What s Next? January 9, 2014

Reference Architecture Assessment Report Cisco Healthcare Solution

Neil Peters-Michaud, CHAMP Cascade Asset Management ITAM Awareness Month December 2016

HIPAA Security Rule s Technical Safeguards - Compliance

HIPAA and the Chiropractic Practice

HIPAA Security & Privacy

HIPAA Technical Safeguards and (a)(7)(ii) Administrative Safeguards

Sample Security Risk Analysis ASP Meaningful Use Core Set Measure 15

University of Wisconsin-Madison Policy and Procedure

Remote Access to a Healthcare Facility and the IT professional s obligations under HIPAA and the HITECH Act

Transcription:

Security Rule for IT Staffs J. T. Ash University of Hawaii System HIPAA Compliance Officer jtash@hawaii.edu hipaa@hawaii.edu

Disclaimer HIPAA is a TEAM SPORT and everyone has a role in protecting protected health information (PHI) This training only provides what needs to be done for Security Rule obligations, and not how you need to accomplish them. How is a risk-based collaboration between IT, Security, and Business. Information about HIPAA from the U.S. Department of Health and Human Services (HHS): https://www.hhs.gov/hipaa/for-professionals/index.html Unofficial version from HHS combining all HIPAA regulatory standards in one document (115 pages): https://www.hhs.gov/sites/default/files/hipaa-simplification- 201303.pdf

HIPAA Privacy Rule The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections. https://www.hhs.gov/hipaa/forprofessionals/privacy/index.html 45 CFR Part 160 and Subparts A and E of Part 164.

HIPAA Security Rule The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. https://www.hhs.gov/hipaa/forprofessionals/security/guidance/index.html 45 CFR Part 160 and Subparts A and C of Part 164. Safeguards: Administrative Physical Technical

Breach of Unsecured PHI Notification to Individuals: Individuals whose unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed as a result of such breach must be notified without unreasonable delay and in no case later than 60 calendar days following the discovery of such breach. Notification to Others: A UH Covered Component shall also notify prominent local media outlets if the breach involves more than 500 residents of the State no later than 60 days after discovery of the breach. Notification to DHHS Secretary: A UH Covered Component shall notify the DHHS Secretary on an annual basis, in a manner specified on the DHHS Web site, and via a report due to the DHHS Secretary no later than 60 calendar days after the end of the calendar year in which breaches are discovered if less than 500 individuals are involved. If more than 500 individuals are involved, the UH Covered Component shall notify the DHHS Secretary in the manner provided by the DHHS Web site, which presently requires notice without unreasonable delay and in no case later than 60 days following a breach. Notification by a Business Associate. A Business Associate shall notify a UH Covered Component of a breach within 5 business days that the Business Associate discovered a breach occurred

Mandatory Security Requirements Ensure the confidentiality, integrity, and availability of all its PHI; Protect against any reasonably anticipated threats or hazards to the security or integrity of the PHI, including ephi; Protect against any reasonably anticipated uses or disclosures of PHI that are not permitted or required; Ensure compliance by its workforce.

Two types of Rule elements 1. Required standards 2. Addressable standards CE must decide whether the standard is reasonable and appropriate to the local setting, and cost to implement Can either Implement the standard as published Implement some alternative (and document why) Not implement the standard at all (and document why)

Three Categories of Standards Administrative safeguards Policies and procedures to prevent, detect, contain and correct information security violations Physical Safeguards IT equipment and media protections Technical Safeguards Controls (mostly software) for access, information integrity, audit trails

Administrative Safeguards Required 1. Risk Analysis 2. Risk Management 3. Sanctions Policy 4. Information System Activity Review 5. Assigned Security Responsibility 6. Isolating Health Care Clearinghouse Functions 7. Security Incident Response & Reporting 8. Data Backup Plan 9. Disaster Recovery Plan 10. Emergency Mode Operations 11. Periodic Evaluations of Standards Compliance

Administrative Safeguards Addressable 1. Workforce security authorizations 2. Workforce clearance procedure 3. Termination Procedures 4. Information Access Authorization 5. Access Establishment and Modification 6. Security Reminders 7. Protection from Malicious Software 8. Log-in Monitoring 9. Password Management 10. Testing and Revision Procedures 11. Applications and Data Criticality Analysis

Physical Safeguards Required 1. Workstation Use 2. Workstation Security 3. Disposal of media Deletion of PHI prior to disposal, or Secure disposal so data is not recoverable 4. Media Reuse Deletion of PHI prior to re-use

Physical Safeguards Addressable 1. Facility Contingency Operations 2. Facility Security Plan 3. Physical Access Control and Validation 4. Facility Maintenance Records 5. Device and Media Accountability 6. Data Backup and Storage

Technical Safeguards Required 1. Unique User Identification No shared logins 2. Emergency access procedures 3. Audit controls Logs of who created, edited or viewed PHI 4. Person and/or Entity Authentication No systems without access control

Technical Safeguards Addressable 1. Automatic logoff 2. Encryption 3. Authentication of the integrity of stored and transmitted PHI

J. T. Ash UH HIPAA Compliance Officer jtash@hawaii.edu (808) 956-7241

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback