April 14, 2003- A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.

Slides:

Advertisements

Similar presentations

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

Advertisements

David Assee BBA, MCSE Florida International University

Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,

Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group

© 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. AT&T Security Consulting Risk.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

NAU HIPAA Awareness Training

Reviewing the World of HIPAA Stephanie Anderson, CPC October 2006.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.

CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.

© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,

Security Controls – What Works

Information Security Policies and Standards

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

© by Seclarity Inc. 2005, Slide: 1 Seclarity, Inc Lightfall Court Columbia, MD A Blumberg Capital, Valley Ventures and Intel Capital Funded.

Information Security Training for Management Complying with the HIPAA Security Law.

What is HIPAA? H ealth I nsurance P ortability and A ccountability A ct (Kennedy-Kassenbaum Bill) nAdministrative Simplification –Privacy –Transactions.

Basics of OHSAS Occupational Health & Safety Management System

HIPAA PRIVACY AND SECURITY AWARENESS.

HIPAA COMPLIANCE WITH DELL

“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.

Copyright ©2011 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved. Health Information Technology and Management Richard.

How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

1 Secure Commonwealth Panel Health and Medical Subpanel Debbie Condrey - Chief Information Officer Virginia Department of Health December 16, 2013 Virginia.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.

Implementing the HIPAA Security Rule John Parmigiani National Practice Director HIPAA Compliance Services CTG HealthCare Solutions, Inc.

LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.

Eliza de Guzman HTM 520 Health Information Exchange.

PricewaterhouseCoopers 1 Administrative Simplification: Privacy Audioconference April 14, 2003 William R. Braithwaite, MD, PhD “Doctor HIPAA” HIPAA Today.

Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,

1 HIPAA Administrative Simplification Standards Yesterday, Today, and Tomorrow Stanley Nachimson CMS Office of HIPAA Standards.

Working with HIT Systems

Component 8/Unit 6aHealth IT Workforce Curriculum Version 1.0 Fall Installation and Maintenance of Health IT Systems Unit 6a System Security Procedures.

The IT Vendor: HIPAA Security Savior for Smaller Health Plans?

Energize Your Workflow! ©2006 Merge eMed. All Rights Reserved User Group Meeting “Energize Your Workflow” May 7-9, Security.

1 Privacy Plan of Action © HIPAA Pros 2002 All rights reserved.

Lessons Learned from Recent HIPAA Breaches HHS Office for Civil Rights.

HIPAA Security Final Rule Overview

HIPAA Security John Parmigiani Director HIPAA Compliance Services CTG HealthCare Solutions, Inc.

Healthcare Security Professional Roundtable John Parmigiani National Practice Director Regulatory and Compliance Services CTG HealthCare Solutions, Inc.

Working with HIT Systems Unit 7a Protecting Privacy, Security, and Confidentiality in HIT Systems This material was developed by Johns Hopkins University,

Case Study: Applying Authentication Technologies as Part of a HIPAA Compliance Strategy.

HIPAA Compliance Case Study: Establishing and Implementing a Program to Audit HIPAA Compliance Drew Hunt Network Security Analyst Valley Medical Center.

The Art of Information Security: A Strategy Brief Uday Ali Pabrai, CISSP, CHSS.

The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

By: Mark Reed.  Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.

© 2016 Health Information Management Technology: An Applied Approach Chapter 10 Data Security.

Health Insurance Portability and Accountability Act HIPAA 101

Paul T. Smith Davis Wright Tremaine LLP

Health Insurance Portability and Accountability Act

Final HIPAA Security Rule

Health Insurance Portability and Accountability Act

County HIPAA Review All Rights Reserved 2002.

The Practical Side of Meaningful Use:

Thursday, June 5 10: :45 AM Session 1.01 Tom Walsh, CISSP

HIPAA Privacy and Security Summit 2018 HIPAA Privacy Rule: Compliance Plans, Training, Internal Audits and Patient Rights Widener University Delaware.

Lesson 1  7 Basic Components of an Effective Compliance Plan

HIPAA Security Standards Final Rule

Drew Hunt Network Security Analyst Valley Medical Center

HIPAA SECURITY RULE Copyright © 2008, 2006, 2004 by Saunders an imprint of Elsevier Inc. All rights reserved.

HIPAA Compliance Services CTG HealthCare Solutions, Inc.

HIPAA Compliance Services CTG HealthCare Solutions, Inc.

Presentation transcript:

April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National Practice Director HIPAA Compliance Services CTG HealthCare Solutions, Inc.

2 HIPAA Security Standards  Are based upon good business practices and  Have these basic characteristics:  Comprehensive  Flexible  Scalable  Technology Neutral

3 Good Security Practices  Access Controls- restrict user access to PHI based on need-to-know  Authentication- verify identity and allow access to PHI by only authorized users  Audit Controls- identify who did what and when relative to PHI

4 So…Security is Good Business  “ Reasonable measures” need to be taken to protect confidential information (due diligence)  A balanced security approach provides due diligence without impeding health care  Good security can reduce liabilities- patient safety, fines, lawsuits, bad public relations  Can have security by itself, but Cannot have Privacy without Security!

5

6 Serendipity Effect of Privacy Compliance  Complying with the Security Rule should be fairly easy if you have done the preliminary work for Privacy- PHI flow, risk assessments  Implementation of “safeguards” to protect the privacy of PHI  Balance through synchronization and symmetry

7 Immediate Steps  Assign responsibility to one person-CSO and establish a compliance program  Conduct a risk analysis  Deliver security training, education, and awareness in conjunction with privacy  Develop/update policies, procedures, and documentation as needed  Review and modify access and audit controls  Establish security incident reporting and response procedures  Make sure your business associates and vendors help enable your compliance efforts

8 Security Compliance Program Steps 1. Appoint an official to oversee the program 2. Set standards of expected conduct 3. Establish training, education, and awareness program 4. Create a process for receiving and responding to reports of violation 5. Audit and monitor for compliance on an on-going basis 6. Take appropriate corrective actions

9 Risk Analysis  What needs to be protected? (Assets – Hardware, software, data, information, knowledge workers/people)  What are the possible threats? (Acts of nature, Acts of man)  What are the vulnerabilities that can be exploited by the threats?  What is the probability or likelihood of a threat exploiting a vulnerability?  What is the impact to the organization?  What controls are needed to mitigate impacts/ protect against threats

10 Information Security Policy  The foundation for an Information Security Program  Defines the expected state of security for the organization  Defines the technical security controls for implementation  Without policies, there is no plan for an organization to design and implement an effective security program  Provides a basis for training

11 Audits  Data Owners periodically receive an access control list of who has access to their systems and what privileges they have  Users are randomly selected for audit  Audit data is provided to their managers  Warning banners are displayed at logon to any system or network (“No expectation of privacy”)  Audit logs are stored on a separate system and only the Information Security Officer has access to the logs  Audit trails generated and evaluated

12 Incident Reporting and Response  Can staff identify an unauthorized use of patient information?  Do staff know how to report security incidents?  Will staff report an incident?  Is there one telephone number that staff can call to report any type of incident?  Are there trained and experienced employees responsible for collecting and preserving evidence?  Is the procedure enforced?

13

14 Security Compliance Questions  Have you designated a single individual as the Information Security Official?  Have you developed an Information Security Policy?  Have you conducted a Risk Analysis and have the documentation to prove it?  Have you conducted a detailed technical analysis of network controls?  Have you established meaningful Audit Controls?  Have you updated Contingency Plans?

15 Security Compliance Questions…  Have you developed Security Incident Reporting and Response Procedures?  Have you reviewed Human Resources Policies relating to Workforce Security?  Have you reviewed Information Access Management Policies?  Have you established Device and Media Controls?  Have you developed a Facility Security Plan that ensures physical safeguards for PHI?

16 Security Compliance Questions…  Have you developed a Policy on Workstation Use and Security?  Have you developed an Information Security Training, Education, and Awareness Program?  Have you instituted Authentication for all members of the Workforce?  Have you developed Business Associate Contracts?

17 /