HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.

Slides:

Advertisements

Similar presentations

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

Advertisements

Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona.

National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna

HIPAA Security Regulations Jean C. Hemphill Ballard Spahr Andrews & Ingersoll, LLP November 30, 2004.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

Health information security & compliance

CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.

EHR Privacy & Security. Missouri’s Federally-designated Regional Extension Center  University of Missouri:  Department of Health Management and Informatics.

Security Controls – What Works

Clinical Information System Implementation Project Prepared for Clinical Affairs Committee December 4, 2002.

Computer Security: Principles and Practice

Session 3 – Information Security Policies

Network security policy: best practices

1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

What is HIPAA? H ealth I nsurance P ortability and A ccountability A ct (Kennedy-Kassenbaum Bill) nAdministrative Simplification –Privacy –Transactions.

Privacy and Security Tiger Team Subgroup Discussion: MU3 RFC July 29, 2013.

Audits & Assessments: What are the Differences and How Do We Learn from the Results? Brown Bag March 12, 2009 Sal Rubano – Director, Office of the Vice.

HIPAA PRIVACY AND SECURITY AWARENESS.

HIPAA COMPLIANCE WITH DELL

“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.

2012 Audits of Covered Entity Compliance with HIPAA Privacy, Security and Breach Notification Rules Initial Analysis February 2013.

Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.

How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Privacy & Security Policy Meets Technology at the Crossroads: Best Practice Methods & Approaches to Developing Organizational Frameworks to Avoid Collision.

Policy Review (Top-Down Methodology) Lesson 7. Policies From the Peltier Text, p. 81 “The cornerstones of effective information security programs are.

April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.

Privacy and Security Risks to Rural Hospitals John Hoyt, Partner December 6, 2013.

LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.

Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.

Eliza de Guzman HTM 520 Health Information Exchange.

Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

Cloud Computing Security Keep Your Head and Other Data Secure in the Cloud Lynne Pizzini, CISSP, CISM, CIPP Information Systems Security Officer Information.

Patient Confidentiality and Electronic Medical Records Ann J. Olsen, MBA, MA Information Security Officer and Director, Information Management Planning.

The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,

Working with HIT Systems

Copyright ©2014 by Saunders, an imprint of Elsevier Inc. All rights reserved 1 Chapter 02 Compliance, Privacy, Fraud, and Abuse in Insurance Billing Insurance.

Component 8/Unit 6aHealth IT Workforce Curriculum Version 1.0 Fall Installation and Maintenance of Health IT Systems Unit 6a System Security Procedures.

Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.

Copyright © Emerson Strategic Group, Inc. All Rights Reserved 1 Ninth National HIPAA Summit Auditing for Privacy Compliance: A Case Study September.

Lessons Learned from Recent HIPAA Breaches HHS Office for Civil Rights.

Chapter 8 Auditing in an E-commerce Environment

Case Study: Applying Authentication Technologies as Part of a HIPAA Compliance Strategy.

Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.

The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law

HHS Security and Improvement Recommendations Insert Name CSIA 412 Final Project Final Project.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Risk Controls in IA Zachary Rensko COSC 481. Outline Definition Risk Control Strategies Risk Control Categories The Human Firewall Project OCTAVE.

Security Methods and Practice Principles of Information Security, Fourth Edition CET4884 Planning for Security Ch5 Part I.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.

Installation and Maintenance of Health IT Systems System Security Procedures and Standards Lecture a This material Comp8_Unit6a was developed by Duke University,

Audit Trail LIS 4776 Advanced Health Informatics Week 14

Password Escrow Service

Understanding HIPAA Dr. Jennifer Lu.

Introduction to the Federal Defense Acquisition Regulation

I have many checklists: how do I get started with cyber security?

Final HIPAA Security Rule

The Practical Side of Meaningful Use:

HIPAA Privacy and Security Summit 2018 HIPAA Privacy Rule: Compliance Plans, Training, Internal Audits and Patient Rights Widener University Delaware.

HIPAA Compliance Services CTG HealthCare Solutions, Inc.

HIPAA Compliance Services CTG HealthCare Solutions, Inc.

Introduction to the PACS Security

HIPAA Security Risk Assessment (SRA)

Security Policies and Implementation Issues

Presentation transcript:

HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June 23 rd, 2012

Introduction People’s Hospital has made a significant Financial and Human Resources investment to achieve HIPAA Security Rule Compliance Healthcare delivery is undergoing significant changes in the regulatory environment as well as creation, access and uses of digital data and information To ensure a trusted and growing relationship with the community we service, as well as to attract the leading clinical staff, the best evidence based toolsets must be available This dynamic landscape of highly credentialed staff, delivering world class evidence based medicine, with emerging digital tools, mandates a HIPAA Security Rule program based on a continuously improving model

HIPAA Security Rules Principles Confidentiality- ePHI shall not be exposed to individuals without appropriate authorization (Access Control – Encryption – Data Loss Prevention) Integrity- Intentional unauthorized and unintentional unauthorized modification to ePHI must not occur (Access Control – Integrity Checking, Constrained User Interfaces, Two-Factor Authentication) Availability- ePHI data shall be available to authorized individuals when and where it is required to support the delivery of evidence based medicine (High Availability, Disaster Recovery, Continuity of Business, Data Back-Up)

HIPAA Security Rules Highlights HIPAA Privacy vs HIPAA Security Rules Administrative Safeguard, Technical Safeguard, Physical Safeguard Required Attributes vs Addressable Attributes Non-Prescriptive to aid in adoption of new technologies, flexibility to support various organizational structures and foster alternatives to fulfilling desired outcomes Business Partners interacting with ePHI classified as Covered Entity

Impact on People’s Hospital - Lose of HIPAA Security Rule Non-Compliance Unrealized gains from investments in achieving HIPAA Security Rule Compliance Security Breaches Social and Emotional Impact to Patient Revenue Downturn to People’s Hospital Lose of Patient Trust Regulatory Fines Civil Litigation from Patients Civil Litigation form Business Partners Criminal Litigation

HIPAA Security Rule Operationalized HIPAA Security Rules People’s Hospital General Policies Clinical Unit Specific Policies Device Standards Instructional Level Processes Minimum Controls for Security Best Practice- Guidelines

HIPAA Security Rule Risk Management Program Cycle Assess Risk and Determine Needs Monitor and Evaluate Promote Awareness Implement Policies and Controls Central Management

Assess Risk and Determine Needs Inventory of Systems - Flow of ePHI through Systems Inventory of Business Partners accessing, generating or updating ePHI Identify Owners of Systems and Data Identify System and Data Custodians Identify and Quantify Risk Target HIPAA Compliance budget into Programs as directed by Board, based on formal risk management protocol Do not forget about Physical access to areas hosting ePHI data

Risk Management Risk Must be Identified Risk Avoidance Risk Transference Risk Mitigation Risk Acceptance

Monitor and Evaluate Develop metrics for HIPAA Security Rule Compliance Ensure methods are in place to capture and analyze HIPAA Security Rule Compliance metrics Governance over Business Partners classified as covered entities, based on metrics Audit Processes, Systems and Device Configurations Vulnerability Testing of COT and Custom applications and devices Remediate Systems based on audit and testing Keep updates on regulatory and industry practices as it relates to HIPAA Update General and Functional Polices as required External / Third Party Audit

Workforce Development Awareness - General awareness related to Patient Privacy to all members of People’s Hospital such as awareness days, posters, password policies etc Training - Training specifically focused on IT Technical Team and other members as well as organizational specific training related to pharmacy, nursing, Radiology etc. Education - Formal Education on HIPAA Compliance Auditing and Security Management for People’s Hospital HIPAA Security Team

Implement Policies and Controls Formal Policy Development Process Policies shall be high level Policies shall be documented Policies should be reviewed Formal Review / Exception Process for Non-Compliance Ramification for Non-Compliance without formal review and approval

Security Policies Controls Metric based Audits Governance Risk Management Leadership Support Continuous Awareness, Training and Education HIPAA Security Compliance requires a Continuously Improving Program, not a singular project or event. Summary

Thank you

References: Health Insurance Reform: Security Standards; Final Rule. 45 CFR Parts 160, 162, and 164 (2003). Retrieved from: Kibbe, D. (2005). 10 steps to HIPAA security compliance. Family Practice Management. 12(4). Pp (43-49) Retrieved from: Bowen, P., Hash, J., & Wilson, M.. (2006). Information Security Handbook: A Guide for Managers Recommendations of the National Institute of Standards and Technology. NIST Special Publication Tipton, H. F. (2010). Official (isc)2 guide to the cissp cbk, second edition. Boca Raton: Auerbach Publications. Security Officers Management & Analysis Project