HIPAA Security Final Rule Overview for HIPAA Summit West June 5, 2003Karen Trudel.

Slides:

Advertisements

Similar presentations

Tamtron Users Group April 2001 Preparing Your Laboratory for HIPAA Compliance.

Advertisements

H = P = A = HIPAA DEFINED HIPAA … A Federal Law Created in 1996 Health

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.

1 HIPAA Security Final Rule Overview April 9, 2003Karen Trudel.

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group

HIPAA Security Regulations Jean C. Hemphill Ballard Spahr Andrews & Ingersoll, LLP November 30, 2004.

Reviewing the World of HIPAA Stephanie Anderson, CPC October 2006.

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

HIPAA Privacy Rule Compliance Training for YSU April 9, 2014.

Health information security & compliance

CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.

Implementing a HIPAA Security Rule Training Program for System Administrators at East Carolina University Copyright: Carol Davis, 2006EDUCAUSE 2006 Security.

HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.

Implementing and Enforcing the HIPAA Privacy Rule.

1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)

IT’S OFFICIAL: GOVERNMENT AUDITING OF SECURITY RULE COMPLIANCE Nancy Davis, MS, RHIA Director of Privacy/Security Officer, Ministry Health Care & Catherine.

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

SEC835 Database and Web application security Information Security Architecture.

What is HIPAA? H ealth I nsurance P ortability and A ccountability A ct (Kennedy-Kassenbaum Bill) nAdministrative Simplification –Privacy –Transactions.

HIPAA PRIVACY AND SECURITY AWARENESS.

“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.

Copyright ©2011 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved. Health Information Technology and Management Richard.

2012 Audits of Covered Entity Compliance with HIPAA Privacy, Security and Breach Notification Rules Initial Analysis February 2013.

How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

Working with Health IT Systems Protecting Privacy, Security, and Confidentiality in HIT Systems Lecture a This material (Comp7_Unit7a) was developed by.

April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.

Meaningful Use Security Risk Analysis Passing Your Audit.

HIPAA Michigan Cancer Registrars Association 2005 Annual Educational Conference Sandy Routhier.

LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.

Eliza de Guzman HTM 520 Health Information Exchange.

HIPAA BASIC TRAINING Presented by Anderson Health Information Systems, Inc.

The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,

1 HIPAA Administrative Simplification Standards Yesterday, Today, and Tomorrow Stanley Nachimson CMS Office of HIPAA Standards.

Component 8/Unit 6aHealth IT Workforce Curriculum Version 1.0 Fall Installation and Maintenance of Health IT Systems Unit 6a System Security Procedures.

Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.

U.S. Department of Education Safeguarding Student Privacy Melanie Muenzer U.S. Department of Education Chief of Staff Office of Planning, Evaluation, and.

HIPAA History March 3, HIPAA Ruling Health Insurance Portability Accountability Act Health Insurance Portability Accountability Act Passed by Congress.

Lessons Learned from Recent HIPAA Breaches HHS Office for Civil Rights.

HIPAA Security Final Rule Overview

Copyright © 2015 by Saunders, an imprint of Elsevier Inc. All rights reserved. Chapter 3 Privacy, Confidentiality, and Security.

1 © CHC Healthcare Solutions 2004 All rights reserved HIPAA Issues for Counties – PHI, Prisoners, Disaster Preparedness and Homeland Security March 9,

HIPAA Security John Parmigiani Director HIPAA Compliance Services CTG HealthCare Solutions, Inc.

Working with HIT Systems Unit 7a Protecting Privacy, Security, and Confidentiality in HIT Systems This material was developed by Johns Hopkins University,

HIPAA Compliance Case Study: Establishing and Implementing a Program to Audit HIPAA Compliance Drew Hunt Network Security Analyst Valley Medical Center.

Functioning as a Business Associate Under HIPAA William F. Tulloch Director, PCBA March 9, 2004.

The Art of Information Security: A Strategy Brief Uday Ali Pabrai, CISSP, CHSS.

The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law

An Independent Licensee of the Blue Cross Blue Shield Association Right Sizing the HIPAA Security Program Laurie Leer, CISSP;Manager Information Systems.

HIPAA Yesterday, Today and Tomorrow? Dianne S. Faup Office of HIPAA Standards Centers for Medicare & Medicaid Services.

PHASE II OF HIPAA AUDIT PROGRAM June 2016 Presented by John P. Murdoch II, Esq. of Wilentz, Goldman & Spitzer, P.A. Two Industrial Way West Two Industrial.

HIPAA: So You Think You’re Compliant September 1, 2011 Carolyn Heyman-Layne, J.D.

Installation and Maintenance of Health IT Systems System Security Procedures and Standards Lecture a This material Comp8_Unit6a was developed by Duke University,

Information Security Policy

Paul T. Smith Davis Wright Tremaine LLP

Disability Services Agencies Briefing On HIPAA

HIPAA Privacy and Security Summit 2018 HIPAA Privacy Rule: Compliance Plans, Training, Internal Audits and Patient Rights Widener University Delaware.

The Centers for Medicare & Medicaid Services

HIPAA Security Standards Final Rule

Paul T. Smith, Esq. Partner, Davis Wright Tremaine LLP

Drew Hunt Network Security Analyst Valley Medical Center

National Congress on Health Care Compliance

Enforcement and Policy Challenges in Health Information Privacy

THE 13TH NATIONAL HIPAA SUMMIT HEALTH INFORMATION PRIVACY & SECURITY IN SHARED HEALTH RECORD SYSTEMS SEPTEMBER 26, 2006 Paul T. Smith, Esq. Partner,

HIPAA Compliance Services CTG HealthCare Solutions, Inc.

Privacy & Security ABC Family Practice.

HIPAA Compliance Services CTG HealthCare Solutions, Inc.

HIPAA Privacy and Security Update - 5 Years After Implementation

Presentation transcript:

HIPAA Security Final Rule Overview for HIPAA Summit West June 5, 2003Karen Trudel

Publication Information  Printed in Federal Register 2/20/03  Compliance Date 4/21/05 (4/21/06 for Small Health Plans)  Document can be located at

Purpose  Ensure integrity, confidentiality and availability of electronic protected health information  Protect against reasonably anticipated threats or hazards, and improper use or disclosure

Scope  All electronic protected health information (EPHI) –NOT oral and paper PHI  In motion AND at rest  All covered entities

Security Standards General Concepts  Flexible, Scalable –Permits standards to be interpreted and implemented appropriately from the smallest provider to the largest plan  Comprehensive –Cover all aspects of security – behavioral as well as technical  Technology Neutral –Can utilize future technology advances in this fast- changing field

Recent WEDI Policy Advisory Group  Assessed need to request changes/guidance  Result: a few clarifications needed; outreach needed  Clarifications: –Relief from burdensome security incident reporting requirement –Clarify status of NIST Guidance documents  Consensus was to preserve flexibility by not requesting official guidance

Implementation Process  Reminiscent of Y2K  Phases: –Education –Assessment –Remediation –Testing/Validation

Assessment Phase Critical  Standard: Security Management Process –Risk Analysis – What are the various risks? How severe? How likely? –Risk Management – What solutions best reduce risk to an acceptable level  Remember: No such thing as absolute security

Where to Start?  Leverage progress made in privacy implementation –Identified PHI –Identified business associates  Build on “mini-security rule” in privacy

What Next?  Add on issues related to integrity and availability  Brings into play requirements like disaster recovery

Filling the Gaps  Look at entire range of options  Assess –Relative risk –How well various options mitigate the risk –Cost  High tech high cost options aren’t necessarily safer

Example: Security Awareness Training  Could be done by various means: –Develop curriculum and send staff to formal classes –Develop web-based training –Take advantage of “teachable moments” New staff orientation Regular department meetings ed reminders Articles in company newsletter

Remember  Technology is not always the answer…many of the standards are administrative  Important to: –Make supportable decisions –Document those decisions –Revisit decisions periodically to assure they are still valid

Enforcement - General  Complaint driven  Penalties –$100 for each violation –Maximum of $25,000 per year for all violations of an identical requirement

Enforcement – Issues  Still studying – will be defined in Substantive Rule  NPRM scheduled for publication this winter  Issues include: –What is a “violation” and how are they counted –Are all standards weighed the same?

Conclusion  Concentrate on the assessment phase  Consider staging remediation –“low hanging fruit” –Areas of significant risk