Presentation is loading. Please wait.

Presentation is loading. Please wait.

April 14, 2003- A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.

Published byLaurence Riley Modified over 8 years ago

Similar presentations

Presentation on theme: "April 14, 2003- A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National."— Presentation transcript:

1 April 14, 2003- A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National Practice Director HIPAA Compliance Services CTG HealthCare Solutions, Inc.

2 2 HIPAA Security Standards  Are based upon good business practices and  Have these basic characteristics:  Comprehensive  Flexible  Scalable  Technology Neutral

3 3 Good Security Practices  Access Controls- restrict user access to PHI based on need-to-know  Authentication- verify identity and allow access to PHI by only authorized users  Audit Controls- identify who did what and when relative to PHI

4 4 So…Security is Good Business  “ Reasonable measures” need to be taken to protect confidential information (due diligence)  A balanced security approach provides due diligence without impeding health care  Good security can reduce liabilities- patient safety, fines, lawsuits, bad public relations  Can have security by itself, but Cannot have Privacy without Security!

5 5

6 6 Serendipity Effect of Privacy Compliance  Complying with the Security Rule should be fairly easy if you have done the preliminary work for Privacy- PHI flow, risk assessments  Implementation of “safeguards” to protect the privacy of PHI  Balance through synchronization and symmetry

7 7 Immediate Steps  Assign responsibility to one person-CSO and establish a compliance program  Conduct a risk analysis  Deliver security training, education, and awareness in conjunction with privacy  Develop/update policies, procedures, and documentation as needed  Review and modify access and audit controls  Establish security incident reporting and response procedures  Make sure your business associates and vendors help enable your compliance efforts

8 8 Security Compliance Program Steps 1. Appoint an official to oversee the program 2. Set standards of expected conduct 3. Establish training, education, and awareness program 4. Create a process for receiving and responding to reports of violation 5. Audit and monitor for compliance on an on-going basis 6. Take appropriate corrective actions

9 9 Risk Analysis  What needs to be protected? (Assets – Hardware, software, data, information, knowledge workers/people)  What are the possible threats? (Acts of nature, Acts of man)  What are the vulnerabilities that can be exploited by the threats?  What is the probability or likelihood of a threat exploiting a vulnerability?  What is the impact to the organization?  What controls are needed to mitigate impacts/ protect against threats

10 10 Information Security Policy  The foundation for an Information Security Program  Defines the expected state of security for the organization  Defines the technical security controls for implementation  Without policies, there is no plan for an organization to design and implement an effective security program  Provides a basis for training

11 11 Audits  Data Owners periodically receive an access control list of who has access to their systems and what privileges they have  Users are randomly selected for audit  Audit data is provided to their managers  Warning banners are displayed at logon to any system or network (“No expectation of privacy”)  Audit logs are stored on a separate system and only the Information Security Officer has access to the logs  Audit trails generated and evaluated

12 12 Incident Reporting and Response  Can staff identify an unauthorized use of patient information?  Do staff know how to report security incidents?  Will staff report an incident?  Is there one telephone number that staff can call to report any type of incident?  Are there trained and experienced employees responsible for collecting and preserving evidence?  Is the procedure enforced?

13 13

14 14 Security Compliance Questions  Have you designated a single individual as the Information Security Official?  Have you developed an Information Security Policy?  Have you conducted a Risk Analysis and have the documentation to prove it?  Have you conducted a detailed technical analysis of network controls?  Have you established meaningful Audit Controls?  Have you updated Contingency Plans?

15 15 Security Compliance Questions…  Have you developed Security Incident Reporting and Response Procedures?  Have you reviewed Human Resources Policies relating to Workforce Security?  Have you reviewed Information Access Management Policies?  Have you established Device and Media Controls?  Have you developed a Facility Security Plan that ensures physical safeguards for PHI?

16 16 Security Compliance Questions…  Have you developed a Policy on Workstation Use and Security?  Have you developed an Information Security Training, Education, and Awareness Program?  Have you instituted Authentication for all members of the Workforce?  Have you developed Business Associate Contracts?

17 17 john.parmigiani@ctghs.comjohn.parmigiani@ctghs.com / 410-750-2497

Download ppt "April 14, 2003- A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National."

Similar presentations

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
David Assee BBA, MCSE Florida International University

David Assee BBA, MCSE Florida International University
Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona.

Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,

Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,
Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.

Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
© 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. AT&T Security Consulting Risk.

© 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. AT&T Security Consulting Risk.
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
NAU HIPAA Awareness Training

NAU HIPAA Awareness Training
Reviewing the World of HIPAA Stephanie Anderson, CPC October 2006.

Reviewing the World of HIPAA Stephanie Anderson, CPC October 2006.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.

Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.
CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.

CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.
© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,

© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
© by Seclarity Inc. 2005, Slide: 1 Seclarity, Inc. 11705 Lightfall Court Columbia, MD 21044 A Blumberg Capital, Valley Ventures and Intel Capital Funded.

© by Seclarity Inc. 2005, Slide: 1 Seclarity, Inc Lightfall Court Columbia, MD A Blumberg Capital, Valley Ventures and Intel Capital Funded.

Similar presentations

Ads by Google