SlideShare uma empresa Scribd logo

MBM eHealthCare Solutions HIPAA-HITECH & Meaningful Use Risk Analysis

Charles McNeil
Charles McNeil

An overview of MBM eHealthCare Solutions HIPAA-HITECH & Meaningful Use Risk Analysis

Tecnologia
1 de 33
The HIPAA–HITECH Privacy and Security Rule Overview & Meaningful Use Core Requirements for Risk Analysis “Technology Made Easy”
Disclaimer This guide was prepared to help small health care practices learn about the information security considerations that they may need to take into account as they become more reliant on health information technology. Use of this guide is voluntary and while it includes many important concepts, it alone will not enable, nor was it designed to ensure, that a health care practice complies with all applicable Federal and State laws. “Technology Made Easy” Presentation Outline HIPAA The Privacy Rule The Security Rule HITECH Meaningful Use The Final Security Rule Risk Analysis Q&A Helpful Information
HIPAA The Health Insurance Portability and Accountability Act of 1996 (HIPAA) “Technology Made Easy” • Law that regulates an employee’s ability to qualify for health coverage with a change in their employment situation • Rules regulating the structure and format for Data Interchange between health care entities • Regulations protecting the privacy and security of Protected Health Information (PHI) HIPAA is …
HIPAA Verbiage “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information ” “Technology Made Easy”
Vulnerability NIST SP 800-30 – defines a vulnerability similarly: A flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy. Vulnerability, the least contentious of the Information Security definitions has only a single dictionary definition – exposure to attack. In Information Security, then, vulnerability could be defined as “a flaw or weakness in hardware, software or process that exposes a system to compromise”. “Technology Made Easy”
Threat NIST SP800-30 “threat-source” as the interaction of an actor and motivation, and “threat” as the interaction between a “threat- source” and a vulnerability. The potential for a threat-source to exercise (accidentally trigger or intentionally exploit) a specific vulnerability. A threat then, is either intention/motivation, an actor, a possibility of danger or a combination of a subset of those. My preferred definition is that threat is the “interaction of actor, motivation and vulnerability”. “Technology Made Easy”
Risk NIST SP 800-30 – Risk is a measure of the extent to which an entity is threatened by a potential circumstance or event, and is typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence. Information security risks are those risks that arise from the loss of confidentiality, integrity, or availability of information or information systems and reflect the potential adverse impacts to organizational operations (i.e., mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation. Risk assessment is the process of identifying, estimating, and prioritizing information security risks. Assessing risk requires the careful analysis of threat and vulnerability information to determine the extent to which circumstances or events could adversely impact an organization and the likelihood that such circumstances or events will occur. The potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization. So “risk” contains elements of a threatening circumstance (actor, motivation and vulnerability), probability and business impact. It is important consider semantics here – we are not considering the risk of a threat, we are considering the risk associated with a business suffering an outcome as a result of a threat. “Technology Made Easy”
Risk Governance National Institute of Standards and Technology (NIST) SP800 – 30 Risk Management Risk assessment is the first process in the risk management methodology. Risk Assessment methodology has nine core components: 1. Understanding your environment (System characterization) 2. Vulnerability identification 3. Threat identification 4. Assessment of how you safeguard your systems now (Control analysis) 5. Likelihood analysis (what is the likelihood of a threat happening?) 6. Impact analysis (are there any systems that are "mission critical?) 7. Risk determination (ranking these risks) 8. Control Recommendations (what are the answers or solutions for your risks) 9. Results Documentation (Documenting or reporting your results) SP800-53A Security Control SP800-66 HIPAA Guide “Technology Made Easy”
Privacy Rule The Privacy Rule standards address the use and disclosure of individuals’ health information—called “protected health information” by organizations subject to the Privacy Rule — called “covered entities,” as well as standards for individuals' privacy rights to understand and control how their health information is used. Privacy Rule Goal A major goal of the Privacy Rule is to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public's health and well being. The Rule strikes a balance that permits important uses of information, while protecting the privacy of people who seek care and healing. “Technology Made Easy”
Security Rule The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. Security Rule Requires The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. “Technology Made Easy”
The HIPAA Security Final Security RuleFebruary 20, 2003 §164.306(a) General requirement Covered entities must do the following: (1)Ensure the confidentiality, integrity and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits. (2)Protect against any reasonably anticipated threats or hazards to the security or integrity of such information. (3)Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part; and (4) Ensure compliance with this subpart by its workforce A Rule by the Modified by Health and Human Services Department on 01/25/2013 “Technology Made Easy”
Risk Analysis under the Security Rule HIPAA requires that each covered entity conduct a formal risk analysis. Specifically, this means: • Analyze the risks and vulnerabilities to the ePHI each covered entity creates, maintains, stores or transmits • Understand the probability of these risks and vulnerabilities • Assess measures already in place to reduce these risks • Analyze its information and applications to find what is critical and what is not • Conduct a formal risk analysis that balances the cost of security against the expected value of losses • As a result of the analysis each entity must have a formal risk management process that reduces risk to an acceptable level “Technology Made Easy”
Risk Analysis Requirements under the Security Rule The Security Management Process standard in the Security Rule requires organizations to: “[i]mplement policies and procedures to prevent, detect, contain, and correct security violations.” (45 C.F.R. § 164.308(a)(1).) Risk analysis is one of four required implementation specifications that provide instructions to implement the Security Management Process standard. Section 164.308(a)(1)(ii)(A) states: • RISK ANALYSIS (Required). • Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization]. • The following questions adapted from NIST Special Publication (SP) 800-665 are examples organizations could consider as part of a risk analysis. These sample questions are not prescriptive and merely identify issues an organization may wish to consider in implementing the Security Rule: • Have you identified the e-PHI within your organization? This includes e-PHI that you create, receive, maintain or transmit. • What are the external sources of e-PHI? • For example, do vendors or consultants create, receive, maintain or transmit e-PHI? • What are the human, natural, and environmental threats to information systems that contain e-PHI? • In addition to an express requirement to conduct a risk analysis, the Rule indicates that risk analysis is a necessary tool in reaching substantial compliance with many other standards and implementation specifications. For example, the Rule contains several implementation specifications that are labeled “addressable” rather than “required.” (68 FR 8334, 8336 (Feb. 20, 2003).) An addressable implementation specification is not optional; rather, if an organization determines that the implementation specification is not reasonable and appropriate, the organization must document why it is not reasonable and appropriate and adopt an equivalent measure if it is reasonable and appropriate to do so. (See 68 FR 8334, 8336 (Feb. 20, 2003); 45 C.F.R. § 164.306(d)(3).) • The outcome of the risk analysis process is a critical factor in assessing whether an implementation specification or an equivalent measure is reasonable and appropriate. • 5 See NIST SP 800-66, Section #4 "Considerations When Applying the HIPAA Security Rule." Available at http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/nist80066.pdf
Who Should Conduct Security Risk Analysis? • Your EMR Vendor will NOT meet this requirement for you • IT Vendor – may lack HIPAA and non-technical expertise • Practice Does It– usually lack resources and expertise • Third party independent auditor “Technology Made Easy”
HIPAA Security Rule Requirements  Administrative Safeguards Standards  Security Management Process  Risk Analysis  Risk management  Information Access Management  Security Awareness & Training  Physical Safeguards  Workstation security & device/media controls  Technical Safeguards  Access controls to ePHI  Audit & transmission security  Organizational Requirements  BA Contracts addressing security of ePHI  Policy & procedures documentation “Technology Made Easy”
Structure of the Security Rule • Standards – the broad security requirements – The standards are “required” • Implementation Specifications – The more detailed instructions contained within each Standard – Some are required (R) – Some are addressable (A) – flexibility and latitude in meeting – Based on what’s “reasonable and appropriate” “Technology Made Easy”
Defining Reasonable and Appropriate • The size, complexity and technical capabilities of the covered entity • The nature of the patient population (celebrities, athletes) and the sensitivity of the data • The costs of security measures • From the risk analysis - The likelihood and criticality of potential risks to ePHI “Technology Made Easy”
HITECH Act The term, HITECH stands for Health Information Technology for Economic and Clinical Health which is part of the American Recovery and Reinvestment Act as stated by the U.S Congress in 2009. This act requires medical establishments to adopt make use of the Electronic Health Records where their deadline falls in the year 2019. HITECH Offers The government offers incentive programs for medical establishments who will be following the HITECH Act. Turning their records into EHR systems is highly recommended for better security while getting easy access to their files when needed. Those who are not able to comply with the HITECH Act will be penalized as stated in the act which medical practices are not too keen on experiencing hence the move to the use of EHR. Medicare = $44,000 (5yrs) Medicaid = $63,750 (6yrs) “Technology Made Easy”
Penalties Increased Penalties Before HITECH Noncompliance $100 per violation up to $25000 per person for the same violation For example, not having a risk analysis would be such a violation Penalties After HITECH Due to Reasonable Cause $1000 per violation due to reasonable cause - $100K max Due to Willful Neglect $10,000 per violation if corrected - $250K max $50,000 per violation if uncorrected - $1.5M max “Technology Made Easy”
"Meaningful Use" The American Recovery and Reinvestment Act of 2009 specifies three main components of Meaningful Use: • The use of a certified EHR in a meaningful manner, such as e- prescribing. • The use of certified EHR technology for electronic exchange of health information to improve quality of health care. • The use of certified EHR technology to submit clinical quality and other measures. Simply put, "meaningful use" means providers need to show they're using certified EHR technology in ways that can be measured significantly in quality and in quantity. . “Technology Made Easy”
Meaningful Use and Risk Analysis #12 Provide patients with electronic copy of their health information upon request #13 Provide clinical summaries for patients for each office # 14 Perform at least one test of certified EHR technical #15 Conduct or review a Security Risk Analysis per 45 CFR per 45 CFR 164.308 (a)(1) Conduct or review a Security Risk Analysis and implement security updates as necessary. MEANINGFUL USE Stage 1 Core CRITERIA “Technology Made Easy”
per 45 CFR 164.308 (a)(1) Conduct or review a Security Risk Analysis and implement security updates as necessary. MEANINGFUL USE Stage 2 Core CRITERIA Meaningful Use Core Measures Measure 9 of 17 Date issued: October, 2012 Protect Electronic Health Information Protect electronic health information created or maintained by the certified EHR technology (CEHRT) through the implementation of appropriate technical capabilities. Measure Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a) (1), including addressing the encryption/security of data stored in CEHRT in accordance with requirements under 45 CFR 164.312 (a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the provider's risk management process for EPs. Exclusion No exclusion. Meaningful Use and Risk Analysis “Technology Made Easy”
Why Security Risk Analysis? • Justification for “Reasonable and Appropriate” for Addressable Implementation Specifications • Identify assets, vulnerabilities and controls • Improved basis for decision making • Justify Expenditures for Security • Helps determine personnel access levels • It is required for compliance • Reduce your IT cost of ownership
1. Final modifications to the HIPAA Privacy, Security, and Enforcement Rules mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act, and certain other modifications to improve the Rules, which were issued as a proposed rule on July 14, 2010. These modifications: A) Make Business Associates of Covered Entities directly liable for compliance with certain of the HIPAA Privacy and Security Rules' requirements. B) Strengthen the limitations on the use and disclosure of protected health information for marketing and fundraising purposes, and prohibit the sale of protected health information without individual authorization. C) Expand individuals' rights to receive electronic copies of their health information and to restrict disclosures to a health plan concerning treatment for which the individual has paid out of pocket in full. D) Require modifications to, and redistribution of, a Covered Entity's notice of privacy practices. F) Modify the individual authorization and other requirements to facilitate research and disclosure of child immunization proof to schools, and to enable access to decedent information by family members or others. G) Adopt the additional HITECH Act enhancements to the Enforcement Rule not previously adopted in the October 30, 2009, interim final rule, such as the provisions addressing enforcement of noncompliance with the HIPAA Rules due to willful neglect. HHS's Summary of the HIPAA Omnibus Rule
2. Final rule adopting changes to the HIPAA Enforcement Rule to incorporate the increased and tiered civil money penalty structure provided by the HITECH Act, originally published as an interim final rule on October 30, 2009. 3. Final rule on Breach Notification for Unsecured Protected Health Information under the HITECH Act, which replaces the breach notification rule's "harm" threshold with a more objective standard and supplants an interim final rule published on August 24, 2009. 4. Final rule modifying the HIPAA Privacy Rule as required by the Genetic Information Nondiscrimination Act (GINA) to prohibit most health plans from using or disclosing genetic information for underwriting purposes, which was published as a proposed rule on October 7, 2009." HHS's Summary of the HIPAA Omnibus Rule continued
HIPAA Security Considerations The HIPAA Security Rule addresses electronic patient health information or ePHI. 19 standards, 42 specifications The documentation requirement is daunting No guidance is provided to address requirements Limited availability of resources Security expertise is expensive “Technology Made Easy”
Our Consulting Features • Endorsed by NIST, Homeland Defense and leading medical organization and societies • Over 55 specific HIPAA requirements addressed • Cost-effective • Differentiation between Required and Addressable items • Reporting and progress reports – Network Mapping and Vulnerability Scanning – Management and Technical Detailed Summary – Remediation Reporting – Priority and status tracking – GAP Analysis – SAL Diagrams • Tips, definitions, and example compliance efforts • Recording of comments and compliance documentation • Blueprint necessary for HIPAA Security Risk Management compliance • We work with your IT group and organization • Our Policies and Procedures Templates cover all 55 HIPAA-HITECH requirements “Technology Made Easy”
HIPAA Security Onsite Investigations and Compliance Reviews Personnel that may be interviewed • President, CEO or Director • HIPAA Compliance Officer • Lead Systems Manager or Director • Systems Security Officer • Lead Network Engineer and/or individuals responsible for: • administration of systems which store, transmit, or access Electronic Protected Health Information (EPHI) • administration systems networks (wired and wireless) • monitoring of systems which store, transmit, or access EPHI • monitoring systems networks (if different from above) • Computer Hardware Specialist • Disaster Recovery Specialist or person in charge of data backup • Facility Access Control Coordinator (physical security) • Human Resources Representative • Director of Training • Incident Response Team Leader • Others as identified….
Policies and Procedures and other Evidence that Address the Following: • Prevention, detection, containment, and correction of security violations • Employee background checks and confidentiality agreements • Establishing user access for new and existing employees • List of authentication methods used to identify users authorized to access EPHI • List of individuals and contractors with access to EPHI to include copies pertinent business associate agreements • List of software used to manage and control access to the Internet • Detecting, reporting, and responding to security incidents (if not in the security plan) • Physical security • Encryption and decryption of EPHI • Mechanisms to ensure integrity of data during transmission -including portable media transmission (i.e. laptops, cell phones, blackberries, thumb drives) • Monitoring systems use -authorized and unauthorized • Use of wireless networks • Granting, approving, and monitoring systems access (for example, by level, role, and job function) • Sanctions for workforce members in violation of policies and procedures governing EPHI access or use • Termination of systems access • Session termination policies and procedures for inactive computer systems • Policies and procedures for emergency access to electronic information systems • Password management policies and procedures • Secure workstation use (documentation of specific guidelines for each class of workstation (i.e., on site, laptop, and home system usage) • Disposal of media and devices containing EPHI HIPAA Security Onsite Investigations and Compliance Reviews Documents and other information
HIPAA Security Onsite Investigations and Compliance Reviews Documents and other information cont. Other Documents: • Entity-wide Security Plan • Risk Analysis (most recent) • Risk Management Plan (addressing risks identified in the Risk Analysis) • Security violation monitoring reports • Vulnerability scanning plans • Results from most recent vulnerability scan • Network penetration testing policy and procedure • Results from most recent network penetration test • List of all user accounts with access to systems which store, transmit, or access EPHI (for active and terminated employees) • Configuration standards to include patch management for systems which store, transmit, or access EPHI (including workstations) • Encryption or equivalent measures implemented on systems that store, transmit, or access EPHI • Organization chart to include staff members responsible for general HIPAA compliance to include the protection of EPHI • Examples of training courses or communications delivered to staff members to ensure awareness and understanding of EPHI policies and procedures (security awareness training) • Policies and procedures governing the use of virus protection software • Data backup procedures • Disaster recovery plan • Disaster recovery test plans and results • Analysis of information systems, applications, and data groups according to their criticality and sensitivity • Inventory of all information systems to include network diagrams listing hardware and software used to store, transmit or maintain EPHI • List of all Primary Domain Controllers (PDC) and servers • Inventory log recording the owner and movement media and devices that contain EPHI
Myth Fact The security risk analysis is optional for small providers False. All providers who are “covered entities” under HIPAA are required to perform a risk analysis. In addition, all providers who want to receive EHR incentive payments must conduct a risk analysis. Simply installing a certified EHR fulfills the security risk analysis MU requirement. False. Even with a certified EHR, you must perform a full security risk analysis. Security requirements address all electronic protected health information you maintain, not just what is in your EHR. My EHR vendor took care of everything I need to do about privacy and security. False. Your EHR vendor may be able to provide information, assistance, and training on the privacy and security aspects of the EHR product. However, EHR vendors are not responsible for making their products compliant with HIPAA Privacy and Security Rules. It is solely your responsibility to have a complete risk analysis conducted. I have to outsource the security risk analysis. False. It is possible for small practices to do risk analysis. However, doing a thorough and professional risk analysis that will stand up to a compliance review will require expert knowledge that could be obtained through services of an experienced outside professional. A checklist will suffice for the risk analysis requirement. False. Checklists can be useful tools, especially when starting a risk analysis, but they fall short of performing a systematic security risk analysis or documenting that one has been performed. There is a specific risk analysis method that I must follow. False. A risk analysis can be performed in countless ways. However, expert HIPAA knowledge and guidance assists organizations in identifying and implementing the most effective and appropriate safeguards to secure e-PHI. My security risk analysis only needs to look at my EHR. False. Review all electronic devices that store, capture, or modify electronic protected health information. Include your EHR hardware and software and devices that can access your EHR data (e.g., your tablet computer, your practice manager’s mobile phone). Remember that copiers also store data. Please see U.S. Department of Health and Human Services (HHS) guidance on remote use. I only need to do a risk analysis once. False. To comply with HIPAA, you must continue to review, correct or modify, and update security protections. Before I attest for an EHR incentive program, I must fully mitigate all risks. False. The EHR incentive program requires addressing any deficiencies identified during the risk analysis during the reporting period. Each year, I’ll have to completely redo my security risk analysis. False. Perform the full security risk analysis as you adopt an EHR. Each year or when changes to your practice or electronic systems occur, review and update the prior analysis for changes in risks.
Contact Information Toll: 800-236-2498 Local: 678.648.1255 Fax: 678.264.2197 email: info@mbmehs.com Website: www.mbmehs.com “Technology Made Easy”

Recomendados

HIPAA HiTech Security Assessment
HIPAA HiTech Security AssessmentHIPAA HiTech Security Assessment
HIPAA HiTech Security Assessmentdata brackets
 
Hipaa Gap Assessment.Sanitized Report
Hipaa Gap Assessment.Sanitized ReportHipaa Gap Assessment.Sanitized Report
Hipaa Gap Assessment.Sanitized Reporttbeckwith
 
EHR meaningful use security risk assessment sample document
EHR meaningful use security risk assessment sample documentEHR meaningful use security risk assessment sample document
EHR meaningful use security risk assessment sample documentdata brackets
 
Mbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk AssessmentMbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk AssessmentMBMeHealthCareSolutions
 
HIPAA security risk assessments
HIPAA security risk assessmentsHIPAA security risk assessments
HIPAA security risk assessmentsJose Ivan Delgado, Ph.D.
 
Healthcare and Cyber security
Healthcare and Cyber securityHealthcare and Cyber security
Healthcare and Cyber securityBrian Matteson, CISSP CISA
 
Dental Compliance for Dentists and Business Associates
Dental Compliance for Dentists and Business AssociatesDental Compliance for Dentists and Business Associates
Dental Compliance for Dentists and Business Associatesgppcpa
 
Comp8 unit6a lecture_slides
Comp8 unit6a lecture_slidesComp8 unit6a lecture_slides
Comp8 unit6a lecture_slidesCMDLMS
 

Recomendados

HIPAA HiTech Security Assessment
HIPAA HiTech Security AssessmentHIPAA HiTech Security Assessment
HIPAA HiTech Security Assessmentdata brackets
 
Hipaa Gap Assessment.Sanitized Report
Hipaa Gap Assessment.Sanitized ReportHipaa Gap Assessment.Sanitized Report
Hipaa Gap Assessment.Sanitized Reporttbeckwith
 
EHR meaningful use security risk assessment sample document
EHR meaningful use security risk assessment sample documentEHR meaningful use security risk assessment sample document
EHR meaningful use security risk assessment sample documentdata brackets
 
Mbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk AssessmentMbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk AssessmentMBMeHealthCareSolutions
 
HIPAA security risk assessments
HIPAA security risk assessmentsHIPAA security risk assessments
HIPAA security risk assessmentsJose Ivan Delgado, Ph.D.
 
Healthcare and Cyber security
Healthcare and Cyber securityHealthcare and Cyber security
Healthcare and Cyber securityBrian Matteson, CISSP CISA
 
Dental Compliance for Dentists and Business Associates
Dental Compliance for Dentists and Business AssociatesDental Compliance for Dentists and Business Associates
Dental Compliance for Dentists and Business Associatesgppcpa
 
Comp8 unit6a lecture_slides
Comp8 unit6a lecture_slidesComp8 unit6a lecture_slides
Comp8 unit6a lecture_slidesCMDLMS
 
Meaningful Use and Security Risk Analysis
Meaningful Use and Security Risk AnalysisMeaningful Use and Security Risk Analysis
Meaningful Use and Security Risk AnalysisEvan Francen
 
Ecfirstbiz
EcfirstbizEcfirstbiz
Ecfirstbizshailu devi
 
The IT Analysis Paralysis
The IT Analysis Paralysis The IT Analysis Paralysis
The IT Analysis Paralysis PYA, P.C.
 
Common Security Framework Summary
Common Security Framework SummaryCommon Security Framework Summary
Common Security Framework SummaryJason Rusch - CISSP CGEIT CISM CISA GNSA
 
The Basics of Security and Risk Analysis
The Basics of Security and Risk AnalysisThe Basics of Security and Risk Analysis
The Basics of Security and Risk Analysislearfield
 
CHIME LEAD Fourm Houston - "Case Studies from the Field: Putting Cyber Securi...
CHIME LEAD Fourm Houston - "Case Studies from the Field: Putting Cyber Securi...CHIME LEAD Fourm Houston - "Case Studies from the Field: Putting Cyber Securi...
CHIME LEAD Fourm Houston - "Case Studies from the Field: Putting Cyber Securi...Health IT Conference – iHT2
 
Cyberinsurance 111006
Cyberinsurance 111006Cyberinsurance 111006
Cyberinsurance 111006JNicholson
 
FRSecure Sales Deck
FRSecure Sales DeckFRSecure Sales Deck
FRSecure Sales DeckEvan Francen
 
Tech Refresh - Cybersecurity in Healthcare
Tech Refresh - Cybersecurity in HealthcareTech Refresh - Cybersecurity in Healthcare
Tech Refresh - Cybersecurity in HealthcareCompTIA
 
RiskWatch for HIPAA Compliance™
RiskWatch for HIPAA Compliance™RiskWatch for HIPAA Compliance™
RiskWatch for HIPAA Compliance™CPaschal
 
Cyb 690 cybersecurity program template directions the foll
Cyb 690 cybersecurity program template directions the follCyb 690 cybersecurity program template directions the foll
Cyb 690 cybersecurity program template directions the follAISHA232980
 
information security management
information security managementinformation security management
information security managementGurpreetkaur838
 
Hm300 week 7 part 2 of 2
Hm300 week 7 part 2 of 2Hm300 week 7 part 2 of 2
Hm300 week 7 part 2 of 2BHUOnlineDepartment
 
UoF - HITRUST & Risk Analysis v1
UoF - HITRUST & Risk Analysis v1UoF - HITRUST & Risk Analysis v1
UoF - HITRUST & Risk Analysis v1Bryan Cline, Ph.D.
 
Developing an Information Security Program
Developing an Information Security ProgramDeveloping an Information Security Program
Developing an Information Security ProgramShauna_Cox
 
HIPAA omnibus rule update
HIPAA omnibus rule updateHIPAA omnibus rule update
HIPAA omnibus rule updateO'Connor Davies CPAs
 
Meaningful Use Risk Analysis Webinar
Meaningful Use Risk Analysis WebinarMeaningful Use Risk Analysis Webinar
Meaningful Use Risk Analysis Webinardata brackets
 
Healthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUSTHealthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUSTControlCase
 
Redspin HIPAA Security Risk Analysis RFP Template
Redspin HIPAA Security Risk Analysis RFP TemplateRedspin HIPAA Security Risk Analysis RFP Template
Redspin HIPAA Security Risk Analysis RFP TemplateRedspin, Inc.
 
You and HIPAA - Get the Facts
You and HIPAA - Get the FactsYou and HIPAA - Get the Facts
You and HIPAA - Get the Factsresourceone
 
Aduana12
Aduana12Aduana12
Aduana12Fernando Montero
 
HxRefactored - TrueVault - Jason Wang - API Pitch
HxRefactored - TrueVault - Jason Wang - API Pitch HxRefactored - TrueVault - Jason Wang - API Pitch
HxRefactored - TrueVault - Jason Wang - API Pitch HxRefactored
 

Mais conteúdo relacionado

Mais procurados

Meaningful Use and Security Risk Analysis
Meaningful Use and Security Risk AnalysisMeaningful Use and Security Risk Analysis
Meaningful Use and Security Risk AnalysisEvan Francen
 
The IT Analysis Paralysis
The IT Analysis Paralysis The IT Analysis Paralysis
The IT Analysis Paralysis PYA, P.C.
 
The Basics of Security and Risk Analysis
The Basics of Security and Risk AnalysisThe Basics of Security and Risk Analysis
The Basics of Security and Risk Analysislearfield
 
CHIME LEAD Fourm Houston - "Case Studies from the Field: Putting Cyber Securi...
CHIME LEAD Fourm Houston - "Case Studies from the Field: Putting Cyber Securi...CHIME LEAD Fourm Houston - "Case Studies from the Field: Putting Cyber Securi...
CHIME LEAD Fourm Houston - "Case Studies from the Field: Putting Cyber Securi...Health IT Conference – iHT2
 
Cyberinsurance 111006
Cyberinsurance 111006Cyberinsurance 111006
Cyberinsurance 111006JNicholson
 
FRSecure Sales Deck
FRSecure Sales DeckFRSecure Sales Deck
FRSecure Sales DeckEvan Francen
 
Tech Refresh - Cybersecurity in Healthcare
Tech Refresh - Cybersecurity in HealthcareTech Refresh - Cybersecurity in Healthcare
Tech Refresh - Cybersecurity in HealthcareCompTIA
 
RiskWatch for HIPAA Compliance™
RiskWatch for HIPAA Compliance™RiskWatch for HIPAA Compliance™
RiskWatch for HIPAA Compliance™CPaschal
 
Cyb 690 cybersecurity program template directions the foll
Cyb 690 cybersecurity program template directions the follCyb 690 cybersecurity program template directions the foll
Cyb 690 cybersecurity program template directions the follAISHA232980
 
information security management
information security managementinformation security management
information security managementGurpreetkaur838
 
UoF - HITRUST & Risk Analysis v1
UoF - HITRUST & Risk Analysis v1UoF - HITRUST & Risk Analysis v1
UoF - HITRUST & Risk Analysis v1Bryan Cline, Ph.D.
 
Developing an Information Security Program
Developing an Information Security ProgramDeveloping an Information Security Program
Developing an Information Security ProgramShauna_Cox
 
Meaningful Use Risk Analysis Webinar
Meaningful Use Risk Analysis WebinarMeaningful Use Risk Analysis Webinar
Meaningful Use Risk Analysis Webinardata brackets
 
Healthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUSTHealthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUSTControlCase
 
Redspin HIPAA Security Risk Analysis RFP Template
Redspin HIPAA Security Risk Analysis RFP TemplateRedspin HIPAA Security Risk Analysis RFP Template
Redspin HIPAA Security Risk Analysis RFP TemplateRedspin, Inc.
 

Mais procurados (19)

Meaningful Use and Security Risk Analysis
Meaningful Use and Security Risk AnalysisMeaningful Use and Security Risk Analysis
Meaningful Use and Security Risk Analysis
 
Ecfirstbiz
EcfirstbizEcfirstbiz
Ecfirstbiz
 
The IT Analysis Paralysis
The IT Analysis Paralysis The IT Analysis Paralysis
The IT Analysis Paralysis
 
Common Security Framework Summary
Common Security Framework SummaryCommon Security Framework Summary
Common Security Framework Summary
 
The Basics of Security and Risk Analysis
The Basics of Security and Risk AnalysisThe Basics of Security and Risk Analysis
The Basics of Security and Risk Analysis
 
CHIME LEAD Fourm Houston - "Case Studies from the Field: Putting Cyber Securi...
CHIME LEAD Fourm Houston - "Case Studies from the Field: Putting Cyber Securi...CHIME LEAD Fourm Houston - "Case Studies from the Field: Putting Cyber Securi...
CHIME LEAD Fourm Houston - "Case Studies from the Field: Putting Cyber Securi...
 
Cyberinsurance 111006
Cyberinsurance 111006Cyberinsurance 111006
Cyberinsurance 111006
 
FRSecure Sales Deck
FRSecure Sales DeckFRSecure Sales Deck
FRSecure Sales Deck
 
Tech Refresh - Cybersecurity in Healthcare
Tech Refresh - Cybersecurity in HealthcareTech Refresh - Cybersecurity in Healthcare
Tech Refresh - Cybersecurity in Healthcare
 
RiskWatch for HIPAA Compliance™
RiskWatch for HIPAA Compliance™RiskWatch for HIPAA Compliance™
RiskWatch for HIPAA Compliance™
 
Cyb 690 cybersecurity program template directions the foll
Cyb 690 cybersecurity program template directions the follCyb 690 cybersecurity program template directions the foll
Cyb 690 cybersecurity program template directions the foll
 
information security management
information security managementinformation security management
information security management
 
Hm300 week 7 part 2 of 2
Hm300 week 7 part 2 of 2Hm300 week 7 part 2 of 2
Hm300 week 7 part 2 of 2
 
UoF - HITRUST & Risk Analysis v1
UoF - HITRUST & Risk Analysis v1UoF - HITRUST & Risk Analysis v1
UoF - HITRUST & Risk Analysis v1
 
Developing an Information Security Program
Developing an Information Security ProgramDeveloping an Information Security Program
Developing an Information Security Program
 
HIPAA omnibus rule update
HIPAA omnibus rule updateHIPAA omnibus rule update
HIPAA omnibus rule update
 
Meaningful Use Risk Analysis Webinar
Meaningful Use Risk Analysis WebinarMeaningful Use Risk Analysis Webinar
Meaningful Use Risk Analysis Webinar
 
Healthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUSTHealthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUST
 
Redspin HIPAA Security Risk Analysis RFP Template
Redspin HIPAA Security Risk Analysis RFP TemplateRedspin HIPAA Security Risk Analysis RFP Template
Redspin HIPAA Security Risk Analysis RFP Template
 

Destaque

You and HIPAA - Get the Facts
You and HIPAA - Get the FactsYou and HIPAA - Get the Facts
You and HIPAA - Get the Factsresourceone
 
HxRefactored - TrueVault - Jason Wang - API Pitch
HxRefactored - TrueVault - Jason Wang - API Pitch HxRefactored - TrueVault - Jason Wang - API Pitch
HxRefactored - TrueVault - Jason Wang - API Pitch HxRefactored
 
HXR 2016: Designing for Addiction and Recovery -Mary Beth Schoening, Behavior...
HXR 2016: Designing for Addiction and Recovery -Mary Beth Schoening, Behavior...HXR 2016: Designing for Addiction and Recovery -Mary Beth Schoening, Behavior...
HXR 2016: Designing for Addiction and Recovery -Mary Beth Schoening, Behavior...HxRefactored
 
HXR 2016: New Models for Care Delivery -Andrew Schutzbank, Iora Health
HXR 2016: New Models for Care Delivery -Andrew Schutzbank, Iora HealthHXR 2016: New Models for Care Delivery -Andrew Schutzbank, Iora Health
HXR 2016: New Models for Care Delivery -Andrew Schutzbank, Iora HealthHxRefactored
 
The HIPAA Security Rule: Yes, It's Your Problem
The HIPAA Security Rule: Yes, It's Your ProblemThe HIPAA Security Rule: Yes, It's Your Problem
The HIPAA Security Rule: Yes, It's Your ProblemSecurityMetrics
 
HXR 2016: Sustainable Design -Jen Briselli, James Christie, Mad*Pow
HXR 2016: Sustainable Design -Jen Briselli, James Christie, Mad*PowHXR 2016: Sustainable Design -Jen Briselli, James Christie, Mad*Pow
HXR 2016: Sustainable Design -Jen Briselli, James Christie, Mad*PowHxRefactored
 
HIPAA Compliance for Developers
HIPAA Compliance for DevelopersHIPAA Compliance for Developers
HIPAA Compliance for DevelopersTrueVault
 
Cia security model
Cia security modelCia security model
Cia security modelImran Ahmed
 
Hipaa hitech requirements
Hipaa hitech requirementsHipaa hitech requirements
Hipaa hitech requirementsDQS Inc.
 
HxRefactored - TrueVault - Jason Wang
HxRefactored - TrueVault - Jason WangHxRefactored - TrueVault - Jason Wang
HxRefactored - TrueVault - Jason WangHxRefactored
 
Application Developers Guide to HIPAA Compliance
Application Developers Guide to HIPAA ComplianceApplication Developers Guide to HIPAA Compliance
Application Developers Guide to HIPAA ComplianceTrueVault
 

Destaque (13)

You and HIPAA - Get the Facts
You and HIPAA - Get the FactsYou and HIPAA - Get the Facts
You and HIPAA - Get the Facts
 
Aduana12
Aduana12Aduana12
Aduana12
 
HxRefactored - TrueVault - Jason Wang - API Pitch
HxRefactored - TrueVault - Jason Wang - API Pitch HxRefactored - TrueVault - Jason Wang - API Pitch
HxRefactored - TrueVault - Jason Wang - API Pitch
 
HXR 2016: Designing for Addiction and Recovery -Mary Beth Schoening, Behavior...
HXR 2016: Designing for Addiction and Recovery -Mary Beth Schoening, Behavior...HXR 2016: Designing for Addiction and Recovery -Mary Beth Schoening, Behavior...
HXR 2016: Designing for Addiction and Recovery -Mary Beth Schoening, Behavior...
 
HXR 2016: New Models for Care Delivery -Andrew Schutzbank, Iora Health
HXR 2016: New Models for Care Delivery -Andrew Schutzbank, Iora HealthHXR 2016: New Models for Care Delivery -Andrew Schutzbank, Iora Health
HXR 2016: New Models for Care Delivery -Andrew Schutzbank, Iora Health
 
Hitech Act
Hitech ActHitech Act
Hitech Act
 
The HIPAA Security Rule: Yes, It's Your Problem
The HIPAA Security Rule: Yes, It's Your ProblemThe HIPAA Security Rule: Yes, It's Your Problem
The HIPAA Security Rule: Yes, It's Your Problem
 
HXR 2016: Sustainable Design -Jen Briselli, James Christie, Mad*Pow
HXR 2016: Sustainable Design -Jen Briselli, James Christie, Mad*PowHXR 2016: Sustainable Design -Jen Briselli, James Christie, Mad*Pow
HXR 2016: Sustainable Design -Jen Briselli, James Christie, Mad*Pow
 
HIPAA Compliance for Developers
HIPAA Compliance for DevelopersHIPAA Compliance for Developers
HIPAA Compliance for Developers
 
Cia security model
Cia security modelCia security model
Cia security model
 
Hipaa hitech requirements
Hipaa hitech requirementsHipaa hitech requirements
Hipaa hitech requirements
 
HxRefactored - TrueVault - Jason Wang
HxRefactored - TrueVault - Jason WangHxRefactored - TrueVault - Jason Wang
HxRefactored - TrueVault - Jason Wang
 
Application Developers Guide to HIPAA Compliance
Application Developers Guide to HIPAA ComplianceApplication Developers Guide to HIPAA Compliance
Application Developers Guide to HIPAA Compliance
 

Semelhante a MBM eHealthCare Solutions HIPAA-HITECH & Meaningful Use Risk Analysis

What Is Security Risk Analysis? By: MedSafe
What Is Security Risk Analysis? By: MedSafeWhat Is Security Risk Analysis? By: MedSafe
What Is Security Risk Analysis? By: MedSafeMedSafe
 
Risk Assessment Famework
Risk Assessment FameworkRisk Assessment Famework
Risk Assessment Fameworklneut03
 
The Fundamentals of HIPAA Privacy & Security Risk Management
The Fundamentals of HIPAA Privacy & Security Risk ManagementThe Fundamentals of HIPAA Privacy & Security Risk Management
The Fundamentals of HIPAA Privacy & Security Risk ManagementKeySys Health
 
Vskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample MaterialVskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample MaterialVskills
 
Module 3_Lesson 7.pptx
Module 3_Lesson 7.pptxModule 3_Lesson 7.pptx
Module 3_Lesson 7.pptxcejobelle
 
1 info sec+risk-mgmt
1 info sec+risk-mgmt1 info sec+risk-mgmt
1 info sec+risk-mgmtmadunix
 
Standards & Framework.ppt
Standards & Framework.pptStandards & Framework.ppt
Standards & Framework.pptkarthikvcyber
 
Standards & Framework.pdf
Standards & Framework.pdfStandards & Framework.pdf
Standards & Framework.pdfkarthikvcyber
 
Describe one safeguard that should be in place to protect the confid.pdf
Describe one safeguard that should be in place to protect the confid.pdfDescribe one safeguard that should be in place to protect the confid.pdf
Describe one safeguard that should be in place to protect the confid.pdfmohammedfootwear
 
The Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentThe Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentBradley Susser
 
Equifax, the FTC Act, and Vulnerability Scanning
Equifax, the FTC Act, and Vulnerability ScanningEquifax, the FTC Act, and Vulnerability Scanning
Equifax, the FTC Act, and Vulnerability ScanningBlack Duck by Synopsys
 
Road Map to HIPAA Security Rules Compliance: Risk Analysis at Orbit Clinics
Road Map to HIPAA Security Rules Compliance: Risk Analysis at Orbit ClinicsRoad Map to HIPAA Security Rules Compliance: Risk Analysis at Orbit Clinics
Road Map to HIPAA Security Rules Compliance: Risk Analysis at Orbit ClinicsIOSR Journals
 
HITRUST CSF Meaningful use risk assessment
HITRUST CSF Meaningful use risk assessmentHITRUST CSF Meaningful use risk assessment
HITRUST CSF Meaningful use risk assessmentVinit Thakur
 
Database Security Is Vital For Any And Every Organization
Database Security Is Vital For Any And Every OrganizationDatabase Security Is Vital For Any And Every Organization
Database Security Is Vital For Any And Every OrganizationApril Dillard
 
Homework AssignmentShort Answer Responses.1. Describe the fiv.docx
Homework AssignmentShort Answer Responses.1. Describe the fiv.docxHomework AssignmentShort Answer Responses.1. Describe the fiv.docx
Homework AssignmentShort Answer Responses.1. Describe the fiv.docxadampcarr67227
 

Semelhante a MBM eHealthCare Solutions HIPAA-HITECH & Meaningful Use Risk Analysis (20)

What Is Security Risk Analysis? By: MedSafe
What Is Security Risk Analysis? By: MedSafeWhat Is Security Risk Analysis? By: MedSafe
What Is Security Risk Analysis? By: MedSafe
 
Risk Assessment Famework
Risk Assessment FameworkRisk Assessment Famework
Risk Assessment Famework
 
The Fundamentals of HIPAA Privacy & Security Risk Management
The Fundamentals of HIPAA Privacy & Security Risk ManagementThe Fundamentals of HIPAA Privacy & Security Risk Management
The Fundamentals of HIPAA Privacy & Security Risk Management
 
Vskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample MaterialVskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample Material
 
SDET UNIT 5.pptx
SDET UNIT 5.pptxSDET UNIT 5.pptx
SDET UNIT 5.pptx
 
Module 3_Lesson 7.pptx
Module 3_Lesson 7.pptxModule 3_Lesson 7.pptx
Module 3_Lesson 7.pptx
 
1 info sec+risk-mgmt
1 info sec+risk-mgmt1 info sec+risk-mgmt
1 info sec+risk-mgmt
 
Standards & Framework.ppt
Standards & Framework.pptStandards & Framework.ppt
Standards & Framework.ppt
 
ch14.ppt
ch14.pptch14.ppt
ch14.ppt
 
Gs Ch1
Gs Ch1Gs Ch1
Gs Ch1
 
Standards & Framework.pdf
Standards & Framework.pdfStandards & Framework.pdf
Standards & Framework.pdf
 
Describe one safeguard that should be in place to protect the confid.pdf
Describe one safeguard that should be in place to protect the confid.pdfDescribe one safeguard that should be in place to protect the confid.pdf
Describe one safeguard that should be in place to protect the confid.pdf
 
The Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentThe Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk Assessment
 
Equifax, the FTC Act, and Vulnerability Scanning
Equifax, the FTC Act, and Vulnerability ScanningEquifax, the FTC Act, and Vulnerability Scanning
Equifax, the FTC Act, and Vulnerability Scanning
 
Road Map to HIPAA Security Rules Compliance: Risk Analysis at Orbit Clinics
Road Map to HIPAA Security Rules Compliance: Risk Analysis at Orbit ClinicsRoad Map to HIPAA Security Rules Compliance: Risk Analysis at Orbit Clinics
Road Map to HIPAA Security Rules Compliance: Risk Analysis at Orbit Clinics
 
Confidentiality
ConfidentialityConfidentiality
Confidentiality
 
Information Serurity Risk Assessment Basics
Information Serurity Risk Assessment BasicsInformation Serurity Risk Assessment Basics
Information Serurity Risk Assessment Basics
 
HITRUST CSF Meaningful use risk assessment
HITRUST CSF Meaningful use risk assessmentHITRUST CSF Meaningful use risk assessment
HITRUST CSF Meaningful use risk assessment
 
Database Security Is Vital For Any And Every Organization
Database Security Is Vital For Any And Every OrganizationDatabase Security Is Vital For Any And Every Organization
Database Security Is Vital For Any And Every Organization
 
Homework AssignmentShort Answer Responses.1. Describe the fiv.docx
Homework AssignmentShort Answer Responses.1. Describe the fiv.docxHomework AssignmentShort Answer Responses.1. Describe the fiv.docx
Homework AssignmentShort Answer Responses.1. Describe the fiv.docx
 

Mais de Charles McNeil

Case Study: Internet Televison vs Satellite TV Cost Comparison
Case Study: Internet Televison vs Satellite TV Cost ComparisonCase Study: Internet Televison vs Satellite TV Cost Comparison
Case Study: Internet Televison vs Satellite TV Cost ComparisonCharles McNeil
 
2014 updated editable hipaa hitech policy and procedures
2014 updated editable hipaa hitech policy and procedures2014 updated editable hipaa hitech policy and procedures
2014 updated editable hipaa hitech policy and proceduresCharles McNeil
 
Nist tech beat for january 7, 2015
Nist tech beat for january 7, 2015Nist tech beat for january 7, 2015
Nist tech beat for january 7, 2015Charles McNeil
 
MBM Managed Security Services
MBM Managed Security ServicesMBM Managed Security Services
MBM Managed Security ServicesCharles McNeil
 
Premier announces new supplier agreements
Premier announces new supplier agreementsPremier announces new supplier agreements
Premier announces new supplier agreementsCharles McNeil
 
Premier contracted supplier
Premier contracted supplierPremier contracted supplier
Premier contracted supplierCharles McNeil
 
Kensington i pad air chassis story
Kensington i pad air chassis storyKensington i pad air chassis story
Kensington i pad air chassis storyCharles McNeil
 
MBM Security Products Matrix
MBM Security Products MatrixMBM Security Products Matrix
MBM Security Products MatrixCharles McNeil
 
How MBM eHealthCare Solutions Help Businesses Meet HIPAA / HITECH Requirements
How MBM eHealthCare Solutions Help Businesses Meet HIPAA / HITECH RequirementsHow MBM eHealthCare Solutions Help Businesses Meet HIPAA / HITECH Requirements
How MBM eHealthCare Solutions Help Businesses Meet HIPAA / HITECH RequirementsCharles McNeil
 
MBM's Revenue Cycle Analyzer Tool
MBM's Revenue Cycle Analyzer ToolMBM's Revenue Cycle Analyzer Tool
MBM's Revenue Cycle Analyzer ToolCharles McNeil
 
MBM's InterGuard Security Suite
MBM's InterGuard Security SuiteMBM's InterGuard Security Suite
MBM's InterGuard Security SuiteCharles McNeil
 
5 Hidden Benefits of an EHR Adoption
5 Hidden Benefits of an EHR Adoption 5 Hidden Benefits of an EHR Adoption
5 Hidden Benefits of an EHR AdoptionCharles McNeil
 

Mais de Charles McNeil (14)

Case Study: Internet Televison vs Satellite TV Cost Comparison
Case Study: Internet Televison vs Satellite TV Cost ComparisonCase Study: Internet Televison vs Satellite TV Cost Comparison
Case Study: Internet Televison vs Satellite TV Cost Comparison
 
2014 updated editable hipaa hitech policy and procedures
2014 updated editable hipaa hitech policy and procedures2014 updated editable hipaa hitech policy and procedures
2014 updated editable hipaa hitech policy and procedures
 
Nist tech beat for january 7, 2015
Nist tech beat for january 7, 2015Nist tech beat for january 7, 2015
Nist tech beat for january 7, 2015
 
MBM Managed Security Services
MBM Managed Security ServicesMBM Managed Security Services
MBM Managed Security Services
 
Premier announces new supplier agreements
Premier announces new supplier agreementsPremier announces new supplier agreements
Premier announces new supplier agreements
 
Premier contracted supplier
Premier contracted supplierPremier contracted supplier
Premier contracted supplier
 
Kensington i pad air chassis story
Kensington i pad air chassis storyKensington i pad air chassis story
Kensington i pad air chassis story
 
Healthcare solutions
Healthcare solutionsHealthcare solutions
Healthcare solutions
 
Healthcare brochure
Healthcare brochureHealthcare brochure
Healthcare brochure
 
MBM Security Products Matrix
MBM Security Products MatrixMBM Security Products Matrix
MBM Security Products Matrix
 
How MBM eHealthCare Solutions Help Businesses Meet HIPAA / HITECH Requirements
How MBM eHealthCare Solutions Help Businesses Meet HIPAA / HITECH RequirementsHow MBM eHealthCare Solutions Help Businesses Meet HIPAA / HITECH Requirements
How MBM eHealthCare Solutions Help Businesses Meet HIPAA / HITECH Requirements
 
MBM's Revenue Cycle Analyzer Tool
MBM's Revenue Cycle Analyzer ToolMBM's Revenue Cycle Analyzer Tool
MBM's Revenue Cycle Analyzer Tool
 
MBM's InterGuard Security Suite
MBM's InterGuard Security SuiteMBM's InterGuard Security Suite
MBM's InterGuard Security Suite
 
5 Hidden Benefits of an EHR Adoption
5 Hidden Benefits of an EHR Adoption 5 Hidden Benefits of an EHR Adoption
5 Hidden Benefits of an EHR Adoption
 

Último

Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 

Último (20)

Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 

MBM eHealthCare Solutions HIPAA-HITECH & Meaningful Use Risk Analysis

  • 1. The HIPAA–HITECH Privacy and Security Rule Overview & Meaningful Use Core Requirements for Risk Analysis “Technology Made Easy”
  • 2. Disclaimer This guide was prepared to help small health care practices learn about the information security considerations that they may need to take into account as they become more reliant on health information technology. Use of this guide is voluntary and while it includes many important concepts, it alone will not enable, nor was it designed to ensure, that a health care practice complies with all applicable Federal and State laws. “Technology Made Easy” Presentation Outline HIPAA The Privacy Rule The Security Rule HITECH Meaningful Use The Final Security Rule Risk Analysis Q&A Helpful Information
  • 3. HIPAA The Health Insurance Portability and Accountability Act of 1996 (HIPAA) “Technology Made Easy” • Law that regulates an employee’s ability to qualify for health coverage with a change in their employment situation • Rules regulating the structure and format for Data Interchange between health care entities • Regulations protecting the privacy and security of Protected Health Information (PHI) HIPAA is …
  • 4. HIPAA Verbiage “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information ” “Technology Made Easy”
  • 5. Vulnerability NIST SP 800-30 – defines a vulnerability similarly: A flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy. Vulnerability, the least contentious of the Information Security definitions has only a single dictionary definition – exposure to attack. In Information Security, then, vulnerability could be defined as “a flaw or weakness in hardware, software or process that exposes a system to compromise”. “Technology Made Easy”
  • 6. Threat NIST SP800-30 “threat-source” as the interaction of an actor and motivation, and “threat” as the interaction between a “threat- source” and a vulnerability. The potential for a threat-source to exercise (accidentally trigger or intentionally exploit) a specific vulnerability. A threat then, is either intention/motivation, an actor, a possibility of danger or a combination of a subset of those. My preferred definition is that threat is the “interaction of actor, motivation and vulnerability”. “Technology Made Easy”
  • 7. Risk NIST SP 800-30 – Risk is a measure of the extent to which an entity is threatened by a potential circumstance or event, and is typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence. Information security risks are those risks that arise from the loss of confidentiality, integrity, or availability of information or information systems and reflect the potential adverse impacts to organizational operations (i.e., mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation. Risk assessment is the process of identifying, estimating, and prioritizing information security risks. Assessing risk requires the careful analysis of threat and vulnerability information to determine the extent to which circumstances or events could adversely impact an organization and the likelihood that such circumstances or events will occur. The potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization. So “risk” contains elements of a threatening circumstance (actor, motivation and vulnerability), probability and business impact. It is important consider semantics here – we are not considering the risk of a threat, we are considering the risk associated with a business suffering an outcome as a result of a threat. “Technology Made Easy”
  • 8. Risk Governance National Institute of Standards and Technology (NIST) SP800 – 30 Risk Management Risk assessment is the first process in the risk management methodology. Risk Assessment methodology has nine core components: 1. Understanding your environment (System characterization) 2. Vulnerability identification 3. Threat identification 4. Assessment of how you safeguard your systems now (Control analysis) 5. Likelihood analysis (what is the likelihood of a threat happening?) 6. Impact analysis (are there any systems that are "mission critical?) 7. Risk determination (ranking these risks) 8. Control Recommendations (what are the answers or solutions for your risks) 9. Results Documentation (Documenting or reporting your results) SP800-53A Security Control SP800-66 HIPAA Guide “Technology Made Easy”
  • 9. Privacy Rule The Privacy Rule standards address the use and disclosure of individuals’ health information—called “protected health information” by organizations subject to the Privacy Rule — called “covered entities,” as well as standards for individuals' privacy rights to understand and control how their health information is used. Privacy Rule Goal A major goal of the Privacy Rule is to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public's health and well being. The Rule strikes a balance that permits important uses of information, while protecting the privacy of people who seek care and healing. “Technology Made Easy”
  • 10. Security Rule The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. Security Rule Requires The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. “Technology Made Easy”
  • 11. The HIPAA Security Final Security RuleFebruary 20, 2003 §164.306(a) General requirement Covered entities must do the following: (1)Ensure the confidentiality, integrity and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits. (2)Protect against any reasonably anticipated threats or hazards to the security or integrity of such information. (3)Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part; and (4) Ensure compliance with this subpart by its workforce A Rule by the Modified by Health and Human Services Department on 01/25/2013 “Technology Made Easy”
  • 12. Risk Analysis under the Security Rule HIPAA requires that each covered entity conduct a formal risk analysis. Specifically, this means: • Analyze the risks and vulnerabilities to the ePHI each covered entity creates, maintains, stores or transmits • Understand the probability of these risks and vulnerabilities • Assess measures already in place to reduce these risks • Analyze its information and applications to find what is critical and what is not • Conduct a formal risk analysis that balances the cost of security against the expected value of losses • As a result of the analysis each entity must have a formal risk management process that reduces risk to an acceptable level “Technology Made Easy”
  • 13. Risk Analysis Requirements under the Security Rule The Security Management Process standard in the Security Rule requires organizations to: “[i]mplement policies and procedures to prevent, detect, contain, and correct security violations.” (45 C.F.R. § 164.308(a)(1).) Risk analysis is one of four required implementation specifications that provide instructions to implement the Security Management Process standard. Section 164.308(a)(1)(ii)(A) states: • RISK ANALYSIS (Required). • Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization]. • The following questions adapted from NIST Special Publication (SP) 800-665 are examples organizations could consider as part of a risk analysis. These sample questions are not prescriptive and merely identify issues an organization may wish to consider in implementing the Security Rule: • Have you identified the e-PHI within your organization? This includes e-PHI that you create, receive, maintain or transmit. • What are the external sources of e-PHI? • For example, do vendors or consultants create, receive, maintain or transmit e-PHI? • What are the human, natural, and environmental threats to information systems that contain e-PHI? • In addition to an express requirement to conduct a risk analysis, the Rule indicates that risk analysis is a necessary tool in reaching substantial compliance with many other standards and implementation specifications. For example, the Rule contains several implementation specifications that are labeled “addressable” rather than “required.” (68 FR 8334, 8336 (Feb. 20, 2003).) An addressable implementation specification is not optional; rather, if an organization determines that the implementation specification is not reasonable and appropriate, the organization must document why it is not reasonable and appropriate and adopt an equivalent measure if it is reasonable and appropriate to do so. (See 68 FR 8334, 8336 (Feb. 20, 2003); 45 C.F.R. § 164.306(d)(3).) • The outcome of the risk analysis process is a critical factor in assessing whether an implementation specification or an equivalent measure is reasonable and appropriate. • 5 See NIST SP 800-66, Section #4 "Considerations When Applying the HIPAA Security Rule." Available at http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/nist80066.pdf
  • 14. Who Should Conduct Security Risk Analysis? • Your EMR Vendor will NOT meet this requirement for you • IT Vendor – may lack HIPAA and non-technical expertise • Practice Does It– usually lack resources and expertise • Third party independent auditor “Technology Made Easy”
  • 15. HIPAA Security Rule Requirements  Administrative Safeguards Standards  Security Management Process  Risk Analysis  Risk management  Information Access Management  Security Awareness & Training  Physical Safeguards  Workstation security & device/media controls  Technical Safeguards  Access controls to ePHI  Audit & transmission security  Organizational Requirements  BA Contracts addressing security of ePHI  Policy & procedures documentation “Technology Made Easy”
  • 16. Structure of the Security Rule • Standards – the broad security requirements – The standards are “required” • Implementation Specifications – The more detailed instructions contained within each Standard – Some are required (R) – Some are addressable (A) – flexibility and latitude in meeting – Based on what’s “reasonable and appropriate” “Technology Made Easy”
  • 17. Defining Reasonable and Appropriate • The size, complexity and technical capabilities of the covered entity • The nature of the patient population (celebrities, athletes) and the sensitivity of the data • The costs of security measures • From the risk analysis - The likelihood and criticality of potential risks to ePHI “Technology Made Easy”
  • 18. HITECH Act The term, HITECH stands for Health Information Technology for Economic and Clinical Health which is part of the American Recovery and Reinvestment Act as stated by the U.S Congress in 2009. This act requires medical establishments to adopt make use of the Electronic Health Records where their deadline falls in the year 2019. HITECH Offers The government offers incentive programs for medical establishments who will be following the HITECH Act. Turning their records into EHR systems is highly recommended for better security while getting easy access to their files when needed. Those who are not able to comply with the HITECH Act will be penalized as stated in the act which medical practices are not too keen on experiencing hence the move to the use of EHR. Medicare = $44,000 (5yrs) Medicaid = $63,750 (6yrs) “Technology Made Easy”
  • 19. Penalties Increased Penalties Before HITECH Noncompliance $100 per violation up to $25000 per person for the same violation For example, not having a risk analysis would be such a violation Penalties After HITECH Due to Reasonable Cause $1000 per violation due to reasonable cause - $100K max Due to Willful Neglect $10,000 per violation if corrected - $250K max $50,000 per violation if uncorrected - $1.5M max “Technology Made Easy”
  • 20. "Meaningful Use" The American Recovery and Reinvestment Act of 2009 specifies three main components of Meaningful Use: • The use of a certified EHR in a meaningful manner, such as e- prescribing. • The use of certified EHR technology for electronic exchange of health information to improve quality of health care. • The use of certified EHR technology to submit clinical quality and other measures. Simply put, "meaningful use" means providers need to show they're using certified EHR technology in ways that can be measured significantly in quality and in quantity. . “Technology Made Easy”
  • 21. Meaningful Use and Risk Analysis #12 Provide patients with electronic copy of their health information upon request #13 Provide clinical summaries for patients for each office # 14 Perform at least one test of certified EHR technical #15 Conduct or review a Security Risk Analysis per 45 CFR per 45 CFR 164.308 (a)(1) Conduct or review a Security Risk Analysis and implement security updates as necessary. MEANINGFUL USE Stage 1 Core CRITERIA “Technology Made Easy”
  • 22. per 45 CFR 164.308 (a)(1) Conduct or review a Security Risk Analysis and implement security updates as necessary. MEANINGFUL USE Stage 2 Core CRITERIA Meaningful Use Core Measures Measure 9 of 17 Date issued: October, 2012 Protect Electronic Health Information Protect electronic health information created or maintained by the certified EHR technology (CEHRT) through the implementation of appropriate technical capabilities. Measure Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a) (1), including addressing the encryption/security of data stored in CEHRT in accordance with requirements under 45 CFR 164.312 (a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the provider's risk management process for EPs. Exclusion No exclusion. Meaningful Use and Risk Analysis “Technology Made Easy”
  • 23. Why Security Risk Analysis? • Justification for “Reasonable and Appropriate” for Addressable Implementation Specifications • Identify assets, vulnerabilities and controls • Improved basis for decision making • Justify Expenditures for Security • Helps determine personnel access levels • It is required for compliance • Reduce your IT cost of ownership
  • 24. 1. Final modifications to the HIPAA Privacy, Security, and Enforcement Rules mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act, and certain other modifications to improve the Rules, which were issued as a proposed rule on July 14, 2010. These modifications: A) Make Business Associates of Covered Entities directly liable for compliance with certain of the HIPAA Privacy and Security Rules' requirements. B) Strengthen the limitations on the use and disclosure of protected health information for marketing and fundraising purposes, and prohibit the sale of protected health information without individual authorization. C) Expand individuals' rights to receive electronic copies of their health information and to restrict disclosures to a health plan concerning treatment for which the individual has paid out of pocket in full. D) Require modifications to, and redistribution of, a Covered Entity's notice of privacy practices. F) Modify the individual authorization and other requirements to facilitate research and disclosure of child immunization proof to schools, and to enable access to decedent information by family members or others. G) Adopt the additional HITECH Act enhancements to the Enforcement Rule not previously adopted in the October 30, 2009, interim final rule, such as the provisions addressing enforcement of noncompliance with the HIPAA Rules due to willful neglect. HHS's Summary of the HIPAA Omnibus Rule
  • 25. 2. Final rule adopting changes to the HIPAA Enforcement Rule to incorporate the increased and tiered civil money penalty structure provided by the HITECH Act, originally published as an interim final rule on October 30, 2009. 3. Final rule on Breach Notification for Unsecured Protected Health Information under the HITECH Act, which replaces the breach notification rule's "harm" threshold with a more objective standard and supplants an interim final rule published on August 24, 2009. 4. Final rule modifying the HIPAA Privacy Rule as required by the Genetic Information Nondiscrimination Act (GINA) to prohibit most health plans from using or disclosing genetic information for underwriting purposes, which was published as a proposed rule on October 7, 2009." HHS's Summary of the HIPAA Omnibus Rule continued
  • 26. HIPAA Security Considerations The HIPAA Security Rule addresses electronic patient health information or ePHI. 19 standards, 42 specifications The documentation requirement is daunting No guidance is provided to address requirements Limited availability of resources Security expertise is expensive “Technology Made Easy”
  • 27. Our Consulting Features • Endorsed by NIST, Homeland Defense and leading medical organization and societies • Over 55 specific HIPAA requirements addressed • Cost-effective • Differentiation between Required and Addressable items • Reporting and progress reports – Network Mapping and Vulnerability Scanning – Management and Technical Detailed Summary – Remediation Reporting – Priority and status tracking – GAP Analysis – SAL Diagrams • Tips, definitions, and example compliance efforts • Recording of comments and compliance documentation • Blueprint necessary for HIPAA Security Risk Management compliance • We work with your IT group and organization • Our Policies and Procedures Templates cover all 55 HIPAA-HITECH requirements “Technology Made Easy”
  • 28. HIPAA Security Onsite Investigations and Compliance Reviews Personnel that may be interviewed • President, CEO or Director • HIPAA Compliance Officer • Lead Systems Manager or Director • Systems Security Officer • Lead Network Engineer and/or individuals responsible for: • administration of systems which store, transmit, or access Electronic Protected Health Information (EPHI) • administration systems networks (wired and wireless) • monitoring of systems which store, transmit, or access EPHI • monitoring systems networks (if different from above) • Computer Hardware Specialist • Disaster Recovery Specialist or person in charge of data backup • Facility Access Control Coordinator (physical security) • Human Resources Representative • Director of Training • Incident Response Team Leader • Others as identified….
  • 29. Policies and Procedures and other Evidence that Address the Following: • Prevention, detection, containment, and correction of security violations • Employee background checks and confidentiality agreements • Establishing user access for new and existing employees • List of authentication methods used to identify users authorized to access EPHI • List of individuals and contractors with access to EPHI to include copies pertinent business associate agreements • List of software used to manage and control access to the Internet • Detecting, reporting, and responding to security incidents (if not in the security plan) • Physical security • Encryption and decryption of EPHI • Mechanisms to ensure integrity of data during transmission -including portable media transmission (i.e. laptops, cell phones, blackberries, thumb drives) • Monitoring systems use -authorized and unauthorized • Use of wireless networks • Granting, approving, and monitoring systems access (for example, by level, role, and job function) • Sanctions for workforce members in violation of policies and procedures governing EPHI access or use • Termination of systems access • Session termination policies and procedures for inactive computer systems • Policies and procedures for emergency access to electronic information systems • Password management policies and procedures • Secure workstation use (documentation of specific guidelines for each class of workstation (i.e., on site, laptop, and home system usage) • Disposal of media and devices containing EPHI HIPAA Security Onsite Investigations and Compliance Reviews Documents and other information
  • 30. HIPAA Security Onsite Investigations and Compliance Reviews Documents and other information cont. Other Documents: • Entity-wide Security Plan • Risk Analysis (most recent) • Risk Management Plan (addressing risks identified in the Risk Analysis) • Security violation monitoring reports • Vulnerability scanning plans • Results from most recent vulnerability scan • Network penetration testing policy and procedure • Results from most recent network penetration test • List of all user accounts with access to systems which store, transmit, or access EPHI (for active and terminated employees) • Configuration standards to include patch management for systems which store, transmit, or access EPHI (including workstations) • Encryption or equivalent measures implemented on systems that store, transmit, or access EPHI • Organization chart to include staff members responsible for general HIPAA compliance to include the protection of EPHI • Examples of training courses or communications delivered to staff members to ensure awareness and understanding of EPHI policies and procedures (security awareness training) • Policies and procedures governing the use of virus protection software • Data backup procedures • Disaster recovery plan • Disaster recovery test plans and results • Analysis of information systems, applications, and data groups according to their criticality and sensitivity • Inventory of all information systems to include network diagrams listing hardware and software used to store, transmit or maintain EPHI • List of all Primary Domain Controllers (PDC) and servers • Inventory log recording the owner and movement media and devices that contain EPHI
  • 31. Myth Fact The security risk analysis is optional for small providers False. All providers who are “covered entities” under HIPAA are required to perform a risk analysis. In addition, all providers who want to receive EHR incentive payments must conduct a risk analysis. Simply installing a certified EHR fulfills the security risk analysis MU requirement. False. Even with a certified EHR, you must perform a full security risk analysis. Security requirements address all electronic protected health information you maintain, not just what is in your EHR. My EHR vendor took care of everything I need to do about privacy and security. False. Your EHR vendor may be able to provide information, assistance, and training on the privacy and security aspects of the EHR product. However, EHR vendors are not responsible for making their products compliant with HIPAA Privacy and Security Rules. It is solely your responsibility to have a complete risk analysis conducted. I have to outsource the security risk analysis. False. It is possible for small practices to do risk analysis. However, doing a thorough and professional risk analysis that will stand up to a compliance review will require expert knowledge that could be obtained through services of an experienced outside professional. A checklist will suffice for the risk analysis requirement. False. Checklists can be useful tools, especially when starting a risk analysis, but they fall short of performing a systematic security risk analysis or documenting that one has been performed. There is a specific risk analysis method that I must follow. False. A risk analysis can be performed in countless ways. However, expert HIPAA knowledge and guidance assists organizations in identifying and implementing the most effective and appropriate safeguards to secure e-PHI. My security risk analysis only needs to look at my EHR. False. Review all electronic devices that store, capture, or modify electronic protected health information. Include your EHR hardware and software and devices that can access your EHR data (e.g., your tablet computer, your practice manager’s mobile phone). Remember that copiers also store data. Please see U.S. Department of Health and Human Services (HHS) guidance on remote use. I only need to do a risk analysis once. False. To comply with HIPAA, you must continue to review, correct or modify, and update security protections. Before I attest for an EHR incentive program, I must fully mitigate all risks. False. The EHR incentive program requires addressing any deficiencies identified during the risk analysis during the reporting period. Each year, I’ll have to completely redo my security risk analysis. False. Perform the full security risk analysis as you adopt an EHR. Each year or when changes to your practice or electronic systems occur, review and update the prior analysis for changes in risks.
  • 32.
  • 33. Contact Information Toll: 800-236-2498 Local: 678.648.1255 Fax: 678.264.2197 email: info@mbmehs.com Website: www.mbmehs.com “Technology Made Easy”