Presentation is loading. Please wait.

Presentation is loading. Please wait.

September 12, 2004 Simplifying the Administration of HIPAA Security Angel Hoffman, RN, MSN Director, Corporate Compliance University of Pittsburgh Medical.

Published byQuentin Mathews Modified over 9 years ago

Similar presentations

Presentation on theme: "September 12, 2004 Simplifying the Administration of HIPAA Security Angel Hoffman, RN, MSN Director, Corporate Compliance University of Pittsburgh Medical."— Presentation transcript:

1

2 September 12, 2004 Simplifying the Administration of HIPAA Security Angel Hoffman, RN, MSN Director, Corporate Compliance University of Pittsburgh Medical Center, Pittsburgh, PA hoffmanam@upmc.edu

3 Assigning security responsibility Work group structure, meetings to identify the requirements of the security rule. Developing standards and entity or application specific procedures Business associate agreements Managing the process: Holding open forums for education of the security liaisons Frequent communications Documentation of the process and rationale for decisions Contingency planning and incident response procedures

4 How do I get my arms around this? Feel like a sinking ship???

5 Implementing A HIPAA Security Compliance Program HIPAA Security Unlocking the secret…

6 Risk Assessment Risk Assessment is identified as an assessment of the potential impact to an organization’s operations and assets. In HIPAA Security the risk is the impact of the information on the organization. In today’s world of technology, information systems are the life line of the organization. Systems communicating to one another while maintaining privacy and data integrity of the information.

7 So you are not a technology guru… ?

8 HIPAA Intersections We have a head start due to work of HIPAA Privacy workgroups (e.g. Information Security and Privacy Awareness Brochure) Privacy  Security Security Awareness & Training Business Associate Contracts Privacy Officers for All Entities Multi-disciplinary Work Groups. Security Awareness & Training Business Associate Contracts Security Liaisons for All Entities Multi-disciplinary Work Groups * Remember HIPAA EDI – While maintaining privacy of the information we also need to look at the transactions from a security stand point.

9 Where to begin… Key Elements in Identifying Risk: Developing a gap analysis Risk assessment tool Policies Education/training Common issues – Budgetary Impact Management Support Multiple systems and applications

10 Creating the Team Assignments of work group leaders Developing work group assignments Creating and revising deliverables Leadership support Implementation at the entity or application specific level Evaluation Ongoing monitoring and auditing Access to all information on a share drive

11 Timeline Important dates: Work groups completed work Spring 2004 Training available September 7, 2004 Complete training December 31, 2004 Complete gap analysis by August 31, 2004 External review validation and analysis of program begin mid August 2004 Action plans and documentation due March 1, 2005 (ongoing monitoring) HIPAA Security Compliance April 21, 2005

12 Moving forward with increased experience…Keep in mind these things to consider: Size, complexity, and capabilities of your organization Cost and practicality Potential risk to organization Common sense decisions IMPACT ON PATIENT CARE

13 Information Security and Privacy Awareness Brochure Viruses UPMC Security Related Policies Security Violations/Incident Reporting Technical Assistance Privacy and Confidentiality Proper Computer Use Internet Use Passwords E-mail

14 What else? Future challenges: Protect and guard confidentiality and availability of PHI: verbal, paper and electronic data integrity Maintaining knowledge of HIPAA EDI and Security Rule requirements Maintain documentation and make available for review (6 years for privacy)

15 Next Steps???

16 Fitting all of the pieces together…

17 Virtual Compliance Officer (VCO) An Automated Assessment Tool Scalable Self-paced Questionnaire Provides Gap Analysis Generates Recommendations Provides an Ongoing Evaluation Monitoring Capability

18 HIPAA Security Implementation Guide Provides information for the Security Liaisons to follow as they implement the program Objectives: To document the organization’s implementation steps for complying with the HIPAA Security Standards To provide Security Liaisons with guidance on complying with the HIPAA Security Standard. To provide Security Liaisons with information to complete required responsibilities

19 Security Liaisons Establish individuals for each entity Train these individuals on their responsibilities Coordinate security risk assessments Evaluate existing security controls compliance with UPMC policies and standards Remedy any security control gaps Conduct ongoing compliance activities and monitoring Report all required information to the HIPAA Program Office Assist in addressing security issues

20 Responsibilities Understand subject to comply with HIPAA Security regulations Develop action plan to comply with HIPAA Security Standards by April 21, 2005 (internal deadline March 1, 2005) Create policies, standards, and procedures to comply with HIPAA Security Standards Educate and identify appropriate key stakeholders within business units to HIPAA Security Standard requirements Report compliance efforts progress and/or any obstacles and document them Maintain the privacy and security of all confidential information.

21 Security Liaison Job Description Qualifications: Background to technical and administrative processes related to computers, network, applications, physical security and contingency planning Ability to work with departments involved with storage, transmission, processing of electronic protected health information within their entity Ability to sort priorities, handle situations, solve problems and independently make decisions within timeframes of the HIPAA security regulation Working together collaboratively with Corporate Legal Staff, Senior Management, Information Security Group and the HIPAA Program Office at Corporate Compliance

22 Security Liaison Job Description (cont.) Responsibilities: Working to establish a system-wide oversight committee Enabling compliance with UPMC’s security policy, standards and procedures for their entity or computer applications Participating or representative identifying an entity representative to participate in workgroups Overseeing all HIPAA Security activities for their entity and computer applications Identifying opportunities to leverage existing Information Security services and processes that may include minimum security baselines, role base access control, and incident response Communicating a clear understanding of the HIPAA regulations and addressing issues as appropriate

23 HIPAA Security Workgroup Policy and Standard Review HIPAA Business Associate Workgroup- developed the language requirements for business associate contracts based upon the HIPAA Security regulations HIPAA Clinical Applications Workgroup- developed/modified the policies and standards for application specific security controls, such as audit, integrity, encryption, and authentication controls HIPAA Contingency Plan Workgroup- developed/modified the policies and standards related to contingency planning HIPAA E-mail Security Workgroup- developed/modified the policies and standards for electronic mail and messaging HIPAA PC/Desktop Workgroup- developed/modified the policies and standards related to desktop computers

24 HIPAA Security Workgroup Policy and Standard Review (cont.) Data Center Operations/Physical Security Workgroups- developed/modified the policies and standards related to data center operations and physical security

25 Policies

26 Policy Review New Policies - 3 Revised Policies - 7 Deleted Policies - 1 Standards Review New Standards - 8 Existing Standards Updated - 12 External Review Contracted consulting firm to review security architecture, perform vulnerability assessment and provide recommendations for implementation.

27 Security Awareness Training Staff Physician Manager Directions Security Liaison Directions

28 Other methods of education Reinforcing key elements through education/training –Multiple modalities for asking questions (e.g. HIPAA Ask Us Mailbox) –Identifying common questions for posting FAQs on internal web site –Articles in internal newsletters/publications as a quick reminder

29 Reporting Progress Using a Web-Based Scorecard Monthly Reporting: July- December 2004 Biweekly: January- February 2005 Weekly: March- April 2005

30 Compliance

31 ANY QUESTIONS ???

Download ppt "September 12, 2004 Simplifying the Administration of HIPAA Security Angel Hoffman, RN, MSN Director, Corporate Compliance University of Pittsburgh Medical."

Similar presentations

Tamtron Users Group April 2001 Preparing Your Laboratory for HIPAA Compliance.

Tamtron Users Group April 2001 Preparing Your Laboratory for HIPAA Compliance.
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Program Management Office (PMO) Design

Program Management Office (PMO) Design
Supporting National e-Health Roadmaps WHO-ITU-WB joint effort WSIS C7 e-Health Facilitation Meeting 13 th May 2010 Hani Eskandar ICT Applications, ITU.

Supporting National e-Health Roadmaps WHO-ITU-WB joint effort WSIS C7 e-Health Facilitation Meeting 13 th May 2010 Hani Eskandar ICT Applications, ITU.
USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.

USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.

National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna 412-396-4419.

Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna
Reviewing the World of HIPAA Stephanie Anderson, CPC October 2006.

Reviewing the World of HIPAA Stephanie Anderson, CPC October 2006.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
The importance of a Compliance program is to ensure that our agency meets the highest possible standards for all relevant federal, state and local regulations,

The importance of a Compliance program is to ensure that our agency meets the highest possible standards for all relevant federal, state and local regulations,
Information Governance and the Presidential Memo on Managing Government Records: Converging Issues and the Search for New Ideas Presidential Memorandum:

Information Governance and the Presidential Memo on Managing Government Records: Converging Issues and the Search for New Ideas Presidential Memorandum:
Security Controls – What Works

Security Controls – What Works
August 9, 2005 UCCSC -- 2005 IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.

August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.
Center for Health Care Quality Licensing & Certification Program Evaluation 1 August 2014 rev.

Center for Health Care Quality Licensing & Certification Program Evaluation 1 August 2014 rev.
Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.

Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.
Building a Compliance Risk Monitoring Program HCCA Compliance Institute New OrleansApril 19, 2005 Lois Dehls Cornell, Esq. Assistant Vice President, Deputy.

Building a Compliance Risk Monitoring Program HCCA Compliance Institute New OrleansApril 19, 2005 Lois Dehls Cornell, Esq. Assistant Vice President, Deputy.
COMPLYING WITH HIPAA BUSINESS ASSOCIATE REQUIREMENTS Quick, Cost Effective Solutions for HIPAA Compliance: Business Associate Agreements.

COMPLYING WITH HIPAA BUSINESS ASSOCIATE REQUIREMENTS Quick, Cost Effective Solutions for HIPAA Compliance: Business Associate Agreements.

Similar presentations

Ads by Google