Managing the HIPAA & The Audit Trail Wayne Pierce, C|CISO.

Slides:



Advertisements
Similar presentations
Creating HIPAA-Compliant Medical Data Applications with Amazon Web Services Presented by, Tulika Srivastava Purdue University.
Advertisements

HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.
“Reaching across Arizona to provide comprehensive quality health care for those in need” Our first care is your health care Arizona Health Care Cost Containment.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
HIPAA Privacy Rule Training
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
HIPAA What’s New? What Is HIPAA Health Insurance Portability and Accountability Act of 1996 Health Insurance Portability and Accountability Act.
Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.
HIPAA CHANGES: HITECH ACT AND BREACH NOTIFICATION RULES February 3, 2010 Kristen L. Gentry, Esq. Catherine M. Stowers, Esq.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
HIPAA Regulations What do you need to know?.
© 2011 The McGraw-Hill Companies, Inc. All rights reserved. 2.5 HIPAA Legislation and its Impact on Physician Practices 2-15 The Health Insurance Portability.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
2014 HIPAA Refresher Omnibus Rule & HIPAA Security.
Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.
Are you ready for HIPPO??? Welcome to HIPAA
Privacy, Security, Confidentiality, and Legal Issues
To improve the quality and efficiency of health care for all stakeholders in the Santa Cruz community. To deliver technology assistance, guidance and.
Health Insurance Portability & Accountability Act (HIPAA)
1 HIT Standards Committee Privacy and Security Workgroup: Recommendations Dixie Baker, SAIC Steven Findlay, Consumers Union August 20, 2009.
March 19, 2009 Changes to HIPAA Privacy and Security Requirements Joel T. Kopperud Scott A. Sinder Rhonda M. Bolton.
© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,
Steps to Compliance: Risk Assessment PRESENTED BY.
HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
The University of Kansas Medical Center Shadow Experience Training.
1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)
Columbia University Medical Center Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy & Information Security Training 2009.
 Risk vs. Access  Tightest Security (not useful) ›Write-only databases ›Passwords too complex to remember  Weakest Security (not protected) ›No logins.
HIPAA PRIVACY AND SECURITY AWARENESS.
“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.
Quality Integrity Stewardship Courtesy Care Accountability Medical Records ARMA Florida Gulf Coast Chapter Michael Spake Lakeland Regional Medical Center.
2012 Audits of Covered Entity Compliance with HIPAA Privacy, Security and Breach Notification Rules Initial Analysis February 2013.
Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health.
What to Expect and How to Prepare: Healthcare Security & Privacy Regulation and Enforcement in 2015 and Beyond.
HIPAA Michigan Cancer Registrars Association 2005 Annual Educational Conference Sandy Routhier.
Privacy and Security Risks to Rural Hospitals John Hoyt, Partner December 6, 2013.
LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.
MU and HIPAA Compliance 101 Robert Morris VP Business Services Ion IT Group, Inc
HIPAA BASIC TRAINING Presented by Anderson Health Information Systems, Inc.
Rhonda Anderson, RHIA, President  …is a PROCESS, not a PROJECT 2.
HITECH and HIPAA Presented by Rhonda Anderson, RHIA Anderson Health Information Systems, Inc
A Road Map to Research at Jefferson: HIPAA Privacy and Security Rules for Researchers Presented By: Privacy Officer/Office of Legal Counsel October 2015.
Lessons Learned from Recent HIPAA Breaches HHS Office for Civil Rights.
Top 10 Series Changes to HIPAA Devon Bernard AOPA Reimbursement Services Coordinator.
Finally, the Final HIPAA/HITECH Regulations are Here! By LYNDA M. JOHNSON Friday, Eldredge & Clark.
HIPAA: Breach Notification By: Office of University Counsel For: Jefferson IRB Continuing Education September 2014.
AND CE-Prof, Inc. January 28, 2011 The Greater Chicago Dental Academy 1 Copyright CE-Prof, Inc
Final HIPAA Rule Special Training What you need to know to remain compliant with the new regulations.
HIPAA TRIVIA Do you know HIPAA?. HIPAA was created by?  The Affordable Care Act  Health Insurance companies  United States Congress  United States.
COMMUNITY-WIDE HEALTH INFORMATION EXCHANGE: HIPAA PRIVACY AND SECURITY ISSUES Ninth National HIPAA Summit September 14, 2004 Prepared by: Robert Belfort,
PHASE II OF HIPAA AUDIT PROGRAM June 2016 Presented by John P. Murdoch II, Esq. of Wilentz, Goldman & Spitzer, P.A. Two Industrial Way West Two Industrial.
HIPAA: So You Think You’re Compliant September 1, 2011 Carolyn Heyman-Layne, J.D.
1 HIPAA’s Impact on Depository Financial Institutions 2 nd National Medical Banking Institute Rick Morrison, CEO Remettra, Inc.
Privacy & Information Security Basics
East Carolina University
HIPAA Administrative Simplification
HIPAA.
By: Eamon Callahan and Wilston Johnston
HIPAA.
HIPAA PRIVACY AWARENESS, COMPLIANCE and ENFORCEMENT
Disability Services Agencies Briefing On HIPAA
HIPAA SECURITY RULE Copyright © 2008, 2006, 2004 by Saunders an imprint of Elsevier Inc. All rights reserved.
HIPAA Policy & Procedure Strategies
Introduction to the PACS Security
Presentation transcript:

Managing the HIPAA & The Audit Trail Wayne Pierce, C|CISO

Overview Background Compliance vs. Security Recent HIPAA Changes HIPAA Audit Requirements – Common Problems Industry Trends – Expected Regulation – New Technology

Background Working in information security professionally for 19 years. Currently manage information security for a 700M+ health network. Active member of HIPAA-COW – Risk and Security workgroups

Compliance is not Security. Compliance is about meeting a checklist, while it can help address security issues you are not secure just by being compliant. HIPAA Security requires a risk assessment to help bridge this gap.

Regulation or Policy What we must do. Technical Capabilities What we can do. Operational Request What we want to do.

GAP Analysis vs. Risk Assessment The HIPAA Security Rule requires both a GAP analysis and a risk assessment. – The GAP analysis is focused on policies and procedures being in place. – The risk assessment is broader in focus and allows HIPAA to be applied to organizations of all sizes.

Recent HIPAA Changes - Timelines Almost all provisions went into effect March 26, Compliance enforcement will begin September 23, Existing Business Associate Agreements (prior to January 25, 2012) do not need to be updated until September 22, 2014.

Recent HIPAA Changes – Breach Notification The “harm threshold” has been removed and replaced with 4 objective factors. – This will result in more incidents being considered a breach and needing to be reported. A risk analysis must be performed for each incident. – OCR will issue guidance to aid us in performing risk assessments with frequently occurring scenarios.

Recent HIPAA Changes – Business Associates Business Associates and their sub-contractors are now directly liable under HIPAA. – Business Associates and their sub-contractors must have a HIPAA Privacy and Security program. Covered Entities are still accountable for the actions of their Business Associate and can be fined if they have a breach.

Recent HIPAA Changes - Enforcement and Penalties The penalty amount has not changed from the interim rule. – $100 to $50,000 per violation up to an annual maximum of $1.5 million per provision violated. OCR is now required to conduct a compliance review if willful negligence is indicated following a preliminary review. – This could result is more government oversight and additional fines.

Recent HIPAA Changes - Privacy Requirements There are several changes concerning the use of PHI for areas such as fundraising, marketing and student immunization records. Individuals have new rights to restrict disclosure of information that they pay for out of pocket. – If requested this information must be restricted from going to an insurance company. The patient is responsible to notify anyone “downstream” about the restriction.

Recent HIPAA Changes - Security Requirements No new Security Rule requirements have been established however all interim requirements are final. Larger fines are being levied for incidents which OCR feels are common sense. – Failure to encrypt a laptop has cost one entity $1.5 million and extra government auditing for the next 20 years at the entities expense.

HIPAA Audit Requirements The audit protocol covers Privacy Rule requirements for (1) notice of privacy practices for PHI, (2) rights to request privacy protection for PHI, (3) access of individuals to PHI, (4) administrative requirements, (5) uses and disclosures of PHI, (6) amendment of PHI, and (7) accounting of disclosures. The protocol covers Security Rule requirements for administrative, physical, and technical safeguards The protocol covers requirements for the Breach Notification Rule. Privacy and Breach – 88 Security – 77 Source:

HIPAA Audit Requirements - Top Items Data Classification Risk Assessments System Activity Review Process Security Training Security Incident Response Business Continuity and Disaster Recovery The key is being able to prove that your choices were deliberate.

HIPAA Audit Requirements – Common Problems FDA Certified devices  – May not always have auditing capabilities. Microsoft Excel and Access – Hard to audit and may not be known. Network File Storage – Hard to audit and is usually not deleted. Text Messaging – Can’t audit, sent unencrypted and stored on the cell providers system.

HIPAA Audit Requirements - Tools You must have a good operational security management program. Primary tool to find and manage PHI is Data Loss Prevention (DLP) – Shows information stored or transmitted over the network or on a computer. – Actions can be blocked or changed. No saving to thumb drives unless the drive is encrypted. Routing outbound s that have PHI through the encryption system. HIPAA-COW has a free risk toolkit that maps to the OCR Audit Protocol.

Industry Trends – Expected Regulation With the new HIPAA rules we did not get an update to the Accounting for Disclosures requirement. – Currently Payment, Treatment and Operations are exempt. This exemption may be removed in the future.

New Technology - mHealth An increasing number of devices are being incorporated into smartphones as applications. – Pros: Individuals can take more control over their health, reducing costs and most likely saving lives. – Cons: Information is siloed within applications, may not be treated securely and applications may not perform the desired function. At some point doctors will prescribe applications, not just medications.

New Technology – Google Glass Wearable computer system that can overlay information through a head mounted display. – Pros: Google Glass could allow diagnostic imaging to be overlaid onto a patient while surgeries are being performed so that a separate system does not need to be referenced. – Cons: Currently all traffic routes through Google’s servers. The system is not Given the interest and money at stake the cons will be addressed quickly.

New Technology – Brain Machine Interface A way to read brain waves and directly translate them into computer actions. – Pros: Allows paralyzed people to interact with their world. – Cons: Who is accountable for the software and security of an implanted computer? When a computer’s actions are based upon your thoughts who has a right to the logs? This may seem far off, but on Feb 28 th Brown University announced a “wireless, broadband, rechargeable, fully implantable brain sensor that has performed well in animal models for more than a year.” Source:

Questions? Resources – HIPAA-COW ( Risk Toolkit – toolkit/ toolkit/

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.