Risk Assessment Robert Morris VP Business Services Ion IT Group, Inc www.IonITGroup.com.

Slides:

Advertisements

Similar presentations

Frequently Asked Questions…. …about HIPAA Notice of Privacy Practices and Acknowledgement.

Advertisements

Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.

Confidentiality and HIPAA

National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group

Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.

Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna

CHAPTER © 2011 The McGraw-Hill Companies, Inc. All rights reserved. 2 The Use of Health Information Technology in Physician Practices.

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

HIPAA Regulations What do you need to know?.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

HIPAA THE PRIVACY RULE Reviewed December HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti-

2014 HIPAA Refresher Omnibus Rule & HIPAA Security.

Are you ready for HIPPO??? Welcome to HIPAA

HIPAA HIPAA Health Insurance Portability and Accountability Act of 1996.

Privacy, Security, Confidentiality, and Legal Issues

Understanding Meaningful Use Presented by: Allison Bryan MS, CHES December 7, 2012 Purdue Research Foundation 2012 Review of Stage 1 and Stage 2.

Health Insurance Portability & Accountability Act (HIPAA)

© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,

HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.

ELECTRONIC MEDICAL RECORDS By Group 5 members: Kinal Patel David A. Ronca Tolulope Oke.

HIPAA PRIVACY AND SECURITY AWARENESS.

Quality Integrity Stewardship Courtesy Care Accountability Medical Records ARMA Florida Gulf Coast Chapter Michael Spake Lakeland Regional Medical Center.

Privacy and Security Laws for Health Care Organizations Presented by Robert J. Scott Scott & Scott, LLP

Copyright ©2011 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved. Health Information Technology and Management Richard.

2012 Audits of Covered Entity Compliance with HIPAA Privacy, Security and Breach Notification Rules Initial Analysis February 2013.

David G. Schoolcraft Ogden Murphy Wallace, PLLC

HIPAA Michigan Cancer Registrars Association 2005 Annual Educational Conference Sandy Routhier.

HIPAAand Disaster Situations By LYNDA M. JOHNSON Friday, Eldredge & Clark.

Privacy and Security Risks to Rural Hospitals John Hoyt, Partner December 6, 2013.

© 2009 The McGraw-Hill Companies, Inc. All rights reserved. 1 McGraw-Hill Chapter 2 The HIPAA Privacy Standards HIPAA for Allied Health Careers.

LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.

Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 6 The Privacy and Security of Electronic Health Information.

© 2013 The McGraw-Hill Companies, Inc. All rights reserved. Ch 8 Privacy Law and HIPAA.

MU and HIPAA Compliance 101 Robert Morris VP Business Services Ion IT Group, Inc

Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

HIPAA THE PRIVACY RULE. 2 HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti- depressant medications.

Rhonda Anderson, RHIA, President  …is a PROCESS, not a PROJECT 2.

Working with HIT Systems

HITECH and HIPAA Presented by Rhonda Anderson, RHIA Anderson Health Information Systems, Inc

1 Privacy Plan of Action © HIPAA Pros 2002 All rights reserved.

Lessons Learned from Recent HIPAA Breaches HHS Office for Civil Rights.

Copyright © 2015 by Saunders, an imprint of Elsevier Inc. All rights reserved. Chapter 3 Privacy, Confidentiality, and Security.

1 Changes to Privacy Regulations under ARRA May 4, 2009 Melissa Goldstein, J.D. The George Washington University School of Public Health and Health Services.

Top 10 Series Changes to HIPAA Devon Bernard AOPA Reimbursement Services Coordinator.

HIPAA: Breach Notification By: Office of University Counsel For: Jefferson IRB Continuing Education September 2014.

HIPAA Overview Why do we need a federal rule on privacy? Privacy is a fundamental right Privacy can be defined as the ability of the individual to determine.

HIPAA Compliance Case Study: Establishing and Implementing a Program to Audit HIPAA Compliance Drew Hunt Network Security Analyst Valley Medical Center.

AND CE-Prof, Inc. January 28, 2011 The Greater Chicago Dental Academy 1 Copyright CE-Prof, Inc

HIPAA/HITECH TRAINING. Why are we here?  HIPAA  HITECH  PHI  Minimum Necessary “Need to Know”  Breaches and Fines.

 Health Insurance and Accountability Act Cornelius Villalon Jr.

HIPAA TRIVIA Do you know HIPAA?. HIPAA was created by?  The Affordable Care Act  Health Insurance companies  United States Congress  United States.

Terminology in Healthcare and Public Health Settings Electronic Health Records Lecture b – Definitions and Concepts in the EHR This material Comp3_Unit15.

COMMUNITY-WIDE HEALTH INFORMATION EXCHANGE: HIPAA PRIVACY AND SECURITY ISSUES Ninth National HIPAA Summit September 14, 2004 Prepared by: Robert Belfort,

Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill/Irwin Chapter 6 The Privacy and Security of Electronic Health Information.

Enforcement, Business Associates and Breach Notification. Oh my!

Health Information Privacy & Security

Move this to online module slides 11-56

HIPAA PRIVACY AWARENESS, COMPLIANCE and ENFORCEMENT

Disability Services Agencies Briefing On HIPAA

HIPAA SECURITY RULE Copyright © 2008, 2006, 2004 by Saunders an imprint of Elsevier Inc. All rights reserved.

Objectives Describe the purposes of the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 Explore how the HITECH Act.

Presentation transcript:

Risk Assessment Robert Morris VP Business Services Ion IT Group, Inc

2 Robert Morris, VP of Business Services  20 years healthcare experience  Sr healthcare information technologist in engineering and applications  18 years HIPAA security specialist  VP Innovation TNHIMSS Previously employed by  ONC/TNREC  Community Health Systems  Healthstation  IBM  Numerous Ambulatory Providers/CAH’s Who I am

Nashville

4 Not my intent

Confidently review your facilities Privacy & Security Risk Assessment 2. Help prepare your environment for data sharing 3. Risk Assessment tools After our talk today you will be able to:

Most every provider has the goal of….  Improving the Health Status of our Community  Reducing Health Care Costs  Improving the Patient Experience  Enriching the Lives of Caregivers

8 So how exactly do you actually become compliant with HIPAA, HITECH, Meaningful Use, Omnibus?

9

10 News from HIMSS 2014

11 Was the establishment of Privacy and Security Rules for PHI. Privacy- Definition, Use & Disclosure of PHI, Notice of rights, how you handle PHI Security- Definitions, How you secure PHI, physically, technically, organization cares for it and the risk assessment. In summary what is….

12 It widen the scope of Privacy and Security Rules It increased legal liability It provides/created more specific enforcement of certain parts of the rule: Breach notification Created the vehicle for state enforcement Created the vehicle for financial penalties Created mandatory penalties for “willful neglect” In summary what is…. HITECH Health Information Technology for Economic and Clinical Health Act

13 Objective: Protect electronic health information created or maintained by the certified EHR technology (CEHRT) through the implementation of appropriate technical capabilities. Meaningful Use and Risk Assessment In summary what is….

14 Meaningful Use asks if your managing PHI by performing a risk assessment? In summary what is…. HIPAA HITECH OMNIBUS

15 Tools from HHS

16 Tools from HHS

We live in a complicated world...

Healthcare Partner Services Patient is Referred to Clinical Health Partner Hospital Discharge Emergency Room Visit Referred by physician Patient self-referral Patient is Referred to Clinical Health Partner Hospital Discharge Emergency Room Visit Referred by physician Patient self-referral Transitional Ambulatory / Extended Social Services Hospital Discharge Skilled Care Home Visits Long Term Care Emergency Room Wellness Coaching Disease Management “Life” Resources “Family” Resources Psychosocial Needs Community Resources

19

20 Source: Ponemon Institute 3 rd Annual Benchmark Study Data Survey 2012 “Covered entities and business associates have the burden of proof to demonstrate that data is managed and protected.“

Minimal Protection: A number of organizations lacked even rudimentary safeguards to protect their networks. 2. Poor Data Management: Many covered entities did not have a handle on where their data ‘lived.’ Some of it was in spreadsheets, some on individual workstations and much of it was—as expected—in core clinical applications 3. Lack of Oversight: Overall, the OCR discovered a general lack of monitoring and audit control. No one was minding the store, and breaches often went undetected. What they found was troubling:

22 Recent penalties in the news

Internet 23 Firewall/Router /Switch Nerd stuff Secure Network PHI Host How can a network breech happen?

24  Inpatient stay  Lab results  Billing  Care Transition  Surgical Centers  Business Associate  Hospice  Home Health  Ambulatory Care  Health Information Exchange  Referral  On and on and on… Preparing for data sharing

25 How to help your organization with compliance.

Accounting for Disclosures Always indicate why treatment, payment, or authorization information is being disclosed. Minimum Necessary Rule: “…take reasonable steps to limit the use or disclosure of, and requests for, [PHI] to the minimum necessary to accomplish the intended purpose.” 26

Tasks for the IT Dept Role-Based Access: Manage who gets access to what. Firewall Review: Make sure that communication with the outside world is secure. Wireless Security: Manage who gets WiFi access, is it secure. Antivirus: Manage software to keep viruses and malware at bay. Server/Workstation Updates: Make sure all software AND hardware gets appropriate updates to mitigate problems. Replace antiquated non supported hardware whenever possible No longer Supported. No security updates.

Tasks for the IT Dept Backup: Keep a backup of all data Backup Encryption: Make backup data unreadable to snoopers. Recovery: Have an operation and data recover plan in case disaster strikes! 28

Tasks for the IT Dept 29 Heartbleed Open SSL Vulnerability is serious!

30 For More information/Additional Resources: Penalties and Enforcement and-security-guide.pdf Privacy and Security Guide from ONC Breach Notification/ Who do I notify?

31 Thank you for your time today! Robert Morris