Presentation is loading. Please wait.

Presentation is loading. Please wait.

Risk Assessment Robert Morris VP Business Services Ion IT Group, Inc

Similar presentations

Presentation on theme: "Risk Assessment Robert Morris VP Business Services Ion IT Group, Inc"— Presentation transcript:

1 Risk Assessment Robert Morris VP Business Services Ion IT Group, Inc

2 2 Robert Morris, VP of Business Services  20 years healthcare experience  Sr healthcare information technologist in engineering and applications  18 years HIPAA security specialist  VP Innovation TNHIMSS Previously employed by  ONC/TNREC  Community Health Systems  Healthstation  IBM  Numerous Ambulatory Providers/CAH’s Who I am

3 Nashville

4 4 Not my intent

5 5 1. Confidently review your facilities Privacy & Security Risk Assessment 2. Help prepare your environment for data sharing 3. Risk Assessment tools After our talk today you will be able to:


7 Most every provider has the goal of….  Improving the Health Status of our Community  Reducing Health Care Costs  Improving the Patient Experience  Enriching the Lives of Caregivers

8 8 So how exactly do you actually become compliant with HIPAA, HITECH, Meaningful Use, Omnibus?

9 9

10 10 News from HIMSS 2014

11 11 Was the establishment of Privacy and Security Rules for PHI. Privacy- Definition, Use & Disclosure of PHI, Notice of rights, how you handle PHI Security- Definitions, How you secure PHI, physically, technically, organization cares for it and the risk assessment. In summary what is….

12 12 It widen the scope of Privacy and Security Rules It increased legal liability It provides/created more specific enforcement of certain parts of the rule: Breach notification Created the vehicle for state enforcement Created the vehicle for financial penalties Created mandatory penalties for “willful neglect” In summary what is…. HITECH Health Information Technology for Economic and Clinical Health Act

13 13 Objective: Protect electronic health information created or maintained by the certified EHR technology (CEHRT) through the implementation of appropriate technical capabilities. Meaningful Use and Risk Assessment In summary what is….

14 14 Meaningful Use asks if your managing PHI by performing a risk assessment? In summary what is…. HIPAA HITECH OMNIBUS

15 15 Tools from HHS

16 16 Tools from HHS

17 We live in a complicated world...

18 Healthcare Partner Services Patient is Referred to Clinical Health Partner Hospital Discharge Emergency Room Visit Referred by physician Patient self-referral Patient is Referred to Clinical Health Partner Hospital Discharge Emergency Room Visit Referred by physician Patient self-referral Transitional Ambulatory / Extended Social Services Hospital Discharge Skilled Care Home Visits Long Term Care Emergency Room Wellness Coaching Disease Management “Life” Resources “Family” Resources Psychosocial Needs Community Resources

19 19

20 20 Source: Ponemon Institute 3 rd Annual Benchmark Study Data Survey 2012 “Covered entities and business associates have the burden of proof to demonstrate that data is managed and protected.“

21 21 1. Minimal Protection: A number of organizations lacked even rudimentary safeguards to protect their networks. 2. Poor Data Management: Many covered entities did not have a handle on where their data ‘lived.’ Some of it was in spreadsheets, some on individual workstations and much of it was—as expected—in core clinical applications 3. Lack of Oversight: Overall, the OCR discovered a general lack of monitoring and audit control. No one was minding the store, and breaches often went undetected. What they found was troubling:

22 22 Recent penalties in the news

23 Internet 23 Firewall/Router /Switch Nerd stuff Secure Network PHI Host How can a network breech happen?

24 24  Inpatient stay  Lab results  Billing  Care Transition  Surgical Centers  Business Associate  Hospice  Home Health  Ambulatory Care  Health Information Exchange  Referral  On and on and on… Preparing for data sharing

25 25 How to help your organization with compliance.

26 Accounting for Disclosures Always indicate why treatment, payment, or authorization information is being disclosed. Minimum Necessary Rule: “…take reasonable steps to limit the use or disclosure of, and requests for, [PHI] to the minimum necessary to accomplish the intended purpose.” 26

27 Tasks for the IT Dept Role-Based Access: Manage who gets access to what. Firewall Review: Make sure that communication with the outside world is secure. Wireless Security: Manage who gets WiFi access, is it secure. Antivirus: Manage software to keep viruses and malware at bay. Server/Workstation Updates: Make sure all software AND hardware gets appropriate updates to mitigate problems. Replace antiquated non supported hardware whenever possible. 27 No longer Supported. No security updates.

28 Tasks for the IT Dept Backup: Keep a backup of all data Backup Encryption: Make backup data unreadable to snoopers. Recovery: Have an operation and data recover plan in case disaster strikes! 28

29 Tasks for the IT Dept 29 Heartbleed Open SSL Vulnerability is serious!

30 30 For More information/Additional Resources: Penalties and Enforcement and-security-guide.pdf Privacy and Security Guide from ONC Breach Notification/ Who do I notify?

31 31 Thank you for your time today! Robert Morris 615.351.4796

Download ppt "Risk Assessment Robert Morris VP Business Services Ion IT Group, Inc"

Similar presentations

Ads by Google