Presentation is loading. Please wait.

Presentation is loading. Please wait.

REC support is. provided under cooperative agreement 90RC0025/01 from the Office of the National Coordinator for HIT, US Dept. of Health and Human Services.

Published byLeon Phelps Modified over 8 years ago

Similar presentations

Presentation on theme: "REC support is. provided under cooperative agreement 90RC0025/01 from the Office of the National Coordinator for HIT, US Dept. of Health and Human Services."— Presentation transcript:

1 REC support is. provided under cooperative agreement 90RC0025/01 from the Office of the National Coordinator for HIT, US Dept. of Health and Human Services Scott C Pettigrew Practice Consultant Privacy & Security Process and Tools Overview

2 REC support is. provided under cooperative agreement 90RC0025/01 from the Office of the National Coordinator for HIT, US Dept. of Health and Human Services The Approach 2 PrepareIdentifyPrioritizeMitigate

3 REC support is. provided under cooperative agreement 90RC0025/01 from the Office of the National Coordinator for HIT, US Dept. of Health and Human Services 3 PrepareIdentifyPrioritizeMitigate Prepare: Gather the knowledge, organizational information, and expertise to successfully perform a Privacy & Security audit.

4 REC support is. provided under cooperative agreement 90RC0025/01 from the Office of the National Coordinator for HIT, US Dept. of Health and Human Services Gather Knowledge Research Am I a Covered Entity (CE)? How do the Privacy & Security rules affect your organization? What are the possible implications if a breach occurs? Perform Site Inventory What technology is used in your practice? Do these items transmit, process, or store EPHI? Do you have a set of relevant policies and procedures? Where are they located? When were they last updated? When did you last review them with your staff? 4 PrepareIdentifyPrioritizeMitigate

5 REC support is. provided under cooperative agreement 90RC0025/01 from the Office of the National Coordinator for HIT, US Dept. of Health and Human Services Assemble Your Team Internal Resources Who are your designated Privacy/Security Officers? Who in your organization has the most knowledge about technology and how it’s used? External Resources IT Vendor Parent or Affiliate Organization IT Security Staff EHR Vendor Regional Extension Center Security Organizations 5 PrepareIdentifyPrioritizeMitigate

6 REC support is. provided under cooperative agreement 90RC0025/01 from the Office of the National Coordinator for HIT, US Dept. of Health and Human Services Tools: Preparation REC-Provided Document: Privacy & Security Preparation: Necessary Resources 6 PrepareIdentifyPrioritizeMitigate

7 REC support is. provided under cooperative agreement 90RC0025/01 from the Office of the National Coordinator for HIT, US Dept. of Health and Human Services Tools: Preparation ONC-Provided Document: HIT Security Risk Assessment Questionnaire: Inventory Assets (Preparation) 7 PrepareIdentifyPrioritizeMitigate http://www.healthit.gov/providers- professionals/core-measure-15

8 REC support is. provided under cooperative agreement 90RC0025/01 from the Office of the National Coordinator for HIT, US Dept. of Health and Human Services Soapbox: Encryption Lost /stolen devices are a major cause of reported security breaches! How would you prove what patient records were on a missing device? (Hint: If you don’t do daily backups, this is nearly impossible!) 8 PrepareIdentifyPrioritizeMitigate

9 REC support is. provided under cooperative agreement 90RC0025/01 from the Office of the National Coordinator for HIT, US Dept. of Health and Human Services Soapbox: Encryption Encryption is not necessarily expensive! Free Alternatives: PC: Microsoft EFS, BitLocker, TrueCrypt Apple OSX: FileVault, TrueCrypt 9 PrepareIdentifyPrioritizeMitigate

10 REC support is. provided under cooperative agreement 90RC0025/01 from the Office of the National Coordinator for HIT, US Dept. of Health and Human Services Tools: Preparation REC-Provided Document: Computer & Mobile Technology Encryption Log 10 PrepareIdentifyPrioritizeMitigate

11 REC support is. provided under cooperative agreement 90RC0025/01 from the Office of the National Coordinator for HIT, US Dept. of Health and Human Services 11 PrepareIdentifyPrioritizeMitigate Identify: Assess each functional area and technology resource where EPHI is processed, stored, or transmitted to find areas of vulnerability.

12 REC support is. provided under cooperative agreement 90RC0025/01 from the Office of the National Coordinator for HIT, US Dept. of Health and Human Services Facility Walkthrough Tools: Identification 12 PrepareIdentifyPrioritizeMitigate

13 REC support is. provided under cooperative agreement 90RC0025/01 from the Office of the National Coordinator for HIT, US Dept. of Health and Human Services Tools: Identification Risk Assessment Questionnaire: Screening Questions (Step 1) 13 PrepareIdentifyPrioritizeMitigate

14 REC support is. provided under cooperative agreement 90RC0025/01 from the Office of the National Coordinator for HIT, US Dept. of Health and Human Services 14 PrepareIdentifyPrioritizeMitigate Prioritize: Examine each possible vulnerability, honestly rating the current systems’ effectiveness, likelihood of breaches, and the impact a breach would have.

15 REC support is. provided under cooperative agreement 90RC0025/01 from the Office of the National Coordinator for HIT, US Dept. of Health and Human Services Tools: Prioritization Risk Assessment Questionnaire: People & Processes (Step 2a) 15 PrepareIdentifyPrioritizeMitigate

16 REC support is. provided under cooperative agreement 90RC0025/01 from the Office of the National Coordinator for HIT, US Dept. of Health and Human Services Tools: Prioritization Risk Assessment Questionnaire: Technology (Step 2b) 16 PrepareIdentifyPrioritizeMitigate

17 REC support is. provided under cooperative agreement 90RC0025/01 from the Office of the National Coordinator for HIT, US Dept. of Health and Human Services 17 PrepareIdentifyPrioritizeMitigate Mitigate: For each identified area of vulnerability, maximize the effectiveness of existing controls, and minimize both the possibility of breach and the extent of damage should an unavoidable breach take place.

18 REC support is. provided under cooperative agreement 90RC0025/01 from the Office of the National Coordinator for HIT, US Dept. of Health and Human Services Tools: Mitigation Risk Assessment Questionnaire: Findings – Remediation (Step 3) 18 PrepareIdentifyPrioritizeMitigate

19 REC support is. provided under cooperative agreement 90RC0025/01 from the Office of the National Coordinator for HIT, US Dept. of Health and Human Services Tools: Mitigation REC-Provided Document: Identified Vulnerability Action Plan 19 PrepareIdentifyPrioritizeMitigate

20 REC support is. provided under cooperative agreement 90RC0025/01 from the Office of the National Coordinator for HIT, US Dept. of Health and Human Services 20 PrepareIdentifyPrioritizeMitigate Prepare: Continue to gather the knowledge, organizational information, and expertise to successfully review and update your Privacy & Security audit on a yearly basis.

21 REC support is. provided under cooperative agreement 90RC0025/01 from the Office of the National Coordinator for HIT, US Dept. of Health and Human Services Prepare Now In Case of Audit! CMS recommends the following documentation be retained: 21 PrepareIdentifyPrioritizeMitigate Source: http://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/Downloads/EHR_SupportingDocumentation_Audits.pdfhttp://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/Downloads/EHR_SupportingDocumentation_Audits.pdf Meaningful Use ObjectiveAudit ValidationSuggested Documentation Protect Electronic Health Information Security risk analysis of the certified EHR technology was performed prior to the end of the reporting period Report that documents the procedures performed during the analysis and the results. Report should be dated prior to the end of the reporting period and should include evidence to support that it was generated for that provider’s system (e.g., identified by National Provider Identifier (NPI), CMS Certification Number (CCN), provider name, practice name, etc.)

22 REC support is. provided under cooperative agreement 90RC0025/01 from the Office of the National Coordinator for HIT, US Dept. of Health and Human Services Tools: Preparation REC-Provided Document: Policy Review Log 22 PrepareIdentifyPrioritizeMitigate

23 REC support is. provided under cooperative agreement 90RC0025/01 from the Office of the National Coordinator for HIT, US Dept. of Health and Human Services Contact Us! Visit us online at www.tristaterec.orgwww.tristaterec.org Email us at rec@healthbridge.orgrec@healthbridge.org Call us at 513-469-7222, ext. 3 Follow us on Twitter: @HealthBridgeHIO Like us on Facebook: www.facebook.com/pages/Cincinnati- OH/HealthBridge/128672340540952 www.facebook.com/pages/Cincinnati- OH/HealthBridge/128672340540952 23

Download ppt "REC support is. provided under cooperative agreement 90RC0025/01 from the Office of the National Coordinator for HIT, US Dept. of Health and Human Services."

Similar presentations

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,

Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,
SCHIE Mission To improve the quality and efficiency of health care for all stakeholders in the Santa Cruz community. To deliver technology assistance,

SCHIE Mission To improve the quality and efficiency of health care for all stakeholders in the Santa Cruz community. To deliver technology assistance,
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.

National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
© 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. AT&T Security Consulting Risk.

© 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. AT&T Security Consulting Risk.
Where to start Ben Burton, JD, MBA, RHIA, CHP, CHC.

Where to start Ben Burton, JD, MBA, RHIA, CHP, CHC.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
HIPAA Regulations What do you need to know?.

HIPAA Regulations What do you need to know?.
Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.

Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.
HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.

HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.
EHR Privacy & Security. Missouri’s Federally-designated Regional Extension Center  University of Missouri:  Department of Health Management and Informatics.

EHR Privacy & Security. Missouri’s Federally-designated Regional Extension Center  University of Missouri:  Department of Health Management and Informatics.
Recommendations on Certification of EHR Modules HIT Standards Committee Privacy and Security Workgroup April 11, 2014.

Recommendations on Certification of EHR Modules HIT Standards Committee Privacy and Security Workgroup April 11, 2014.
1 HIT Standards Committee Privacy and Security Workgroup: Recommendations Dixie Baker, SAIC Steven Findlay, Consumers Union August 20, 2009.

1 HIT Standards Committee Privacy and Security Workgroup: Recommendations Dixie Baker, SAIC Steven Findlay, Consumers Union August 20, 2009.
Information Systems Audit Program. Benefit Audit programs are necessary to perform an effective and efficient audit. Audit programs are essentially checklists.

Information Systems Audit Program. Benefit Audit programs are necessary to perform an effective and efficient audit. Audit programs are essentially checklists.
© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,

© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,
2015 User Conference HIPAA and Patient Safety: Why It Matters April 24, 2015 (GEN-AO1) Presented by: Susan J. Kressly, MD, FAAP Medical Director, Office.

2015 User Conference HIPAA and Patient Safety: Why It Matters April 24, 2015 (GEN-AO1) Presented by: Susan J. Kressly, MD, FAAP Medical Director, Office.
Steps to Compliance: Electronic Devices Overview PRESENTED BY.

Steps to Compliance: Electronic Devices Overview PRESENTED BY.

Similar presentations

Ads by Google