SlideShare uma empresa Scribd logo

Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security

Redspin, Inc.
Redspin, Inc.

Slides from our 1/20/2011 webinar - HIPAA & HITECH Requirements, Compliance, Meaningful Use, and IT security assessments...we know it’s confusing! Let’s focus on what you need to know!

1 de 53
Baixar para ler offline
HIPAA & HITECH Requirements, Compliance, and Meaningful Use We know it’s confusing. Let’s focus on what you need to know! Information Security Assessments “We Take Your Security Personally” Phyllis Patrick, MBA, FACHE, CHC Dan Berger, Executive Vice President Phyllis A. Patrick and Associates LLC Redspin, Inc. Phyllis@phyllispatrick.com dberger@redspin.com
Agenda - New Era in Health IT – What it means to you - Risk Assessment Strategies and Components - Effective Security Process - Meaningful Use and how to get incentive $ - Practical Example –Case Study
New Era in Health IT – New Regulations and Initiatives – Incentive Funding (Medicare & Medicaid) – New Consumer and Patient Issues
New Programs EHRs • Electronic Health Records HIEs • Health Information Exchanges RECs • Regional Extension Centers EHRs • Achieving meaningful use of certified EHRs
Privacy and Security Policies and Programs • Privacy as a Patient Satisfaction Issue • Synergy with Quality and Safety Programs • Right of Private Action/State AG Activities – New Regulations and Initiatives – Incentive Funding (Medicare & Medicaid) – New Consumer and Patient Issues
The ONC Mandate Americans will benefit from electronic health records as “part of a modernized, interconnected, and vastly improved system of care delivery.”
ONC Mandate and Initiatives • Temporary Certification Program • Standards and Certification Criteria Final Rule • Medicare and Medicaid EHR Incentive Programs • Meaningful Use of EHRs Final Rule • Certified Health IT Product List
New Federal Regulations – Meaningful Use of Electronic Health Records (Final Rule) – Medicare and Medicaid Incentive Programs – Certification Process/Criteria – Certification Standards – HITECH Amendments to HIPAA – Breach Notification Requirements
What are the Rules?
Security Laws – Fair and Accurate Credit Transaction Act (FACTA), including Red Flags Rule – Title 21 of the Code of Federal Regulations (21 CFR Part 11) Electronic Records – Patient Safety and Quality Improvement Act (PSQIA, Patient Safety Rule) – Family Educational Rights and Privacy Act (FERPA) – Payment Card Industry Data Security Standard (PCI DSS) – State Breach Notification, Social Security Numbers, Data Protection, and other laws – Children’s Online Privacy Protection Act – Federal Information Security Management Act (FISMA) – H.R. 2868: The Chemical Facility Anti-Terrorism Standards Regulation – Encryption Laws (e.g., State laws) – Sarbanes-Oxley Act (Public Companies) – Gramm-Leach-Bliley Act (Financial Services) – And more………
Some rules haven’t changed – Have you fully implemented the HIPAA Security Rule?
The HIPAA Security Rule – Compliance Date: April, 2005 – 42 Standards and Implementation Specifications – Information Security Management Program – Applies to Electronic Protected Health Information (ePHI) that a Covered Entity Creates, Receives, Maintains, or Transmits
Security Rule Standards Evaluation Standard Perform a periodic technical and non-technical evaluation, based initially upon the standards and implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which an entity’s security policies and procedures meet the requirements of this subpart.” [§164.308(a)(8)] Related Standards Security Management Process §164.308(a)(1)(i) Risk Analysis §164.308(a)(1)(ii)(A) Risk Management §164.308(a)(1)(ii)(B) Information System Activity Review §164.308(a)(1)(ii)(D)
Consequences of Not Meeting the Requirements
New Enforcement Efforts and Priorities HHS made changes to the HIPAA regulations to conform the enforcement component of the regulations to the statutory revisions made pursuant to the HITECH Act. • Civil Monetary Penalties • Violations categorized • Tiered ranges of civil money penalty amounts
Penalties – Per Calendar Year $100 - $50K/violation, not to $10K - $50K/violation, not to exceed $25K - $1.5MM exceed $250K - $1.5MM Person did not know (and by Due to willful neglect and exercising reasonable due violation was corrected diligence) would not have known $1,000 - $50K/violation, not At least $50K/violation, not to to exceed $100K - $1.5MM exceed $1.5MM Violation due to reasonable Due to willful neglect and cause and not to willful violation was not corrected neglect
GOVERNANCE  Leadership  Organizational Structures  Processes that support the security and privacy programs while supporting and sustaining the organization’s mission and strategic goals  Relationships with Business Associates and 3rd parties
Effective Security Program Governance – Involves appropriate organizational personnel – Defines a governance framework or methodology – Enables uniform risk measurement across the organization – Produces quantifiable, meaningful deliverables – Reflects business practices, organizational risk appetites, and changing levels of risk Reference: IT Compliance Institute
Business Associates Covered Entity (CE) A health plan, health care clearinghouse, or health care provider who transmits any health information in electronic form in connection with a transaction covered under the HITECH Act Business Associate (BA) Party who performs a function on behalf of a Covered Entity and has access to PHI in the performance of that function
Business Associate Compliance Liability: -BAs are contractually liable to CEs for breach of BA agreement Business Associates (BAs): -BAs are civilly and criminally liable - IT vendors to Federal government for violations - coding vendors - outsourced call center - subcontractors Notification: - insurance companies -BA notify CE of any breach - pharmacies -CE has obligation to notify patients - hospitals and HHS - physicians -If 500+ persons, notify media Covered - e-prescribing ecosystem serving their area Entity (CE) - CPOE - radiology labs - HIEs Recommendations: - RHIOs -Identify BAs with highest risk - ACOs -Communicate expectations to BAs - lawyers -Automate contract and BA - CPAs agreement files - housekeeping services -Develop auditing and monitoring - etc. !!! process -Educate executives and key players on BAs
Assessing Your Security Program
Components of the Assessment • Governance of the • Education and Training Privacy and Security Programs Programs • Security Breach Notification • Privacy Rule and Security Policy and Procedures Rule Standards • Readiness to meet • Policies and Procedures HITECH/HIPAA requirements • Risk Assessment and RA and Meaningful Use criteria Management • Impacts of Business • Program Infrastructure Partner/Business Associate – Designation of Privacy Relationships and Security Officers • Auditing and Monitoring – Reporting Processes Relationships – Staffing and Resources
Strategies for a Risk Assessment • Formal and ongoing evaluation and review process • Periodic Risk Analysis, in particular following significant changes • Senior leader support • Adequate and available resources • Steering committee
Strategies for a Risk Assessment • Governance/Reporting/Metrics • Organization-wide Risk Analysis • Communication of Risk Profile • Documentation and Action Plans • Independent Consultants?
Show Me the Money How to Access Federal Dollars
Eligible Entities – Eligible professionals (EPs) – Eligible hospitals – Critical access hospitals – Certain Medicare Advantage Organizations whose affiliated EPs and hospitals are meaningful users of certified EHR technology
What is “Meaningful Use?” • Use of a certified EHR in a meaningful manner (e.g., e-prescribing) • Use of certified EHR technology for electronic exchange of health information to improve quality of health care • Use of certified EHR technology to submit clinical quality and other measures
Meaningful Use – Criteria and Standards – Is the practice or hospital is making adequate use of EHRs? – Has a risk analysis been conducted? – Is their a platform for staged implementation? To achieve meaningful use, providers must: – Provide and monitor privacy and security protection of confidential PHI through operating policies, procedures, and technologies – Comply with all applicable federal and state laws and regulations – Provide transparency of data sharing to patients
Meaningful Incentive Program Medicare EHR Medicaid EHR  Participation as early as  Voluntarily offered by FY 2011 individual states  EPs may receive up to  May begin as early as FY $44,000 over 5 years, plus 2011 incentive if in HSPA  EPs may receive up to  Must begin by 2012 to get $63,750 over 6 years maximum  Incentives for hospitals may  Incentives for hospitals begin in 2011 may begin in 2011 w/a  No payment adjustment for $2 million base payment providers who do not show  Medicare EPs, hospitals meaningful use and CAHs who do not show meaningful use have payment decrease beginning 2015
CMS Meaningful Use Goals  Improve quality, safety, and efficiency of health care and reduce health disparities  Engage patients and families  Improve care coordination  Improve population and public health, and  Ensure adequate privacy and security protections for personal health information
.
HIPAA/HITECH Compliance What are the objectives of a HIPAA Risk Analysis and Security Assessments? Compliance: a HIPAA Risk Analysis verifies compliance with the standards defined in the Security Rule of the Administrative Provisions in Title II of HIPAA. Security : Utilizes a risk-based approach to minimize the risk of a compromise of Electronic Protected Health Information (EPHI) triggering the breach notification requirements.
Some Types of Assessments Wireless Pen Web App External Pen Internal Pen Social Engineering Other possible assessments: Controls - PCI, if credit cards - Sarbanes-Oxley - Gramm-Leach-Bliley Data Network Physical Systems Security Analysis Security Analysis
Components of Risk The assets The vulnerabilities (what you are trying to protect is PHI) (how could the threat occur?) • You need to know where it is, how it is used, and • Targeted social engineering attacks; malware how it is transported over the network. exploiting Adobe .pdf and MS office .doc vulnerabilities The threats • Application vulnerabilities (e.g., SQL injection, (what are you afraid of happening?) command injection) • Sophisticated cybercriminals stealing account • Misconfigured database access controls credentials, credit card records, or medical Current mitigation history to file false claims. (what is currently reducing the risk?) • Hackers using application attacks to gain access • Staff to database records. • Technology • Insiders gathering inappropriate data through • Processes misconfigured access control.
PHI/PII Risk Indication
Axolotl Health Information Exchange (HIE) Solution Provider CASE STUDY
Axolotl Overview • Since 1995, Axolotl has been providing Founded: 1995 advanced Clinical Networking solutions Location: • Health Information Exchange has San Jose, California become a necessary foundation to Industry: support the “meaningful use” of health Healthcare Technology Provider information technology Solutions For: Hospitals & Health Systems • Cloud environment – supports electronic RHIOs sharing of data among hospitals, State Health Agencies physicians, clinical laboratories, Physicians pharmacies, health plans (insurers), and Employees: 200 public health department • Security and regulatory compliance are imperative for Axolotl’s customers
Solution for Axolotl Areas Covered • Comprehensive information security assessment of governance and operational processes covering both production and internal systems • Thorough assessment of policies, practices, and procedures from both an internal and external point of view • Axolotl has been able to use information security and compliance as a distinct advantage in a fiercely competitive segment of the healthcare market.
Is Your Organization Ready?
Some Additional Thoughts…
Common Themes and Issues • Lack of Documentation • Managers unaware of • Lack of Awareness of their role and Programs responsibilities in privacy • Insufficient Training and and security Education • Management of Business • Lack of adequate Associate Relationships Disaster and Business • Lack of or outdated Continuity Planning Encryption Policy and • Privacy and Security less Procedures priority than Safety or • Who to Contact in case of Quality Programs perceived or actual • Mobile Device Policy and Security Breach or Procedures Privacy Incident
EHR for the Future • Whatever happens to the health care agenda, EHRs will continue to evolve and regionalization will occur • Some geographical areas will develop mature EHRs faster than others • Patients/consumer engagement is gaining traction • Vendor market will consolidate and be more accountable
Appendix
Strategies for a Risk Assessment •Evaluation/ Review • Establish a formal, ongoing Evaluation Process •Risk Analysis and Review Process using independent •Steering consultant/third party. Conduct the review Committee •Governance using project management tools and •Metrics/ methods. Scoreboard •Risk/Threats •Integrated Assessment • Perform Risk Analysis, following •Risk Profile established policies and procedures, at a •Consultant Criteria minimum, every three years or whenever •Sr. Mgmt. there is a significant change in the Support •Penalties environment (e.g.,new system, new regs, •Document! new service, new threats, changes in senior management)
Strategies for Risk Assessment •Evaluation/ Review • Establish an ongoing Steering Committee: Process •Risk Analysis o Dedicate a multi-disciplinary team •Steering responsible for guiding the Evaluation and Committee •Governance Risk Assessment Processes; utilize existing •Metrics/ team/committee if appropriate Scoreboard •Risk/Threats •Integrated • Establish governance structure/process for Assessment •Risk Profile Security and Privacy  reports to BOD, Audit & •Consultant Compliance Committee, Strategic Planning Criteria Committee, etc. •Sr. Mgmt. Support •Penalties • Security and Privacy Metrics/Scoreboard •Document!
Strategies for Risk Assessment •Evaluation/ Review • Determine level of risk and threat to the Process organization, e.g., •Risk Analysis •Steering • Security Breach Committee • Identity Theft/Medical Identity Theft •Governance •Metrics/ • Privacy Complaints/OCR Complaints/Patient Scoreboard Suits •Risk/Threats • Organization’s “Risk Appetite” •Integrated Assessment • Organizational reputation •Risk Profile • Financial consequences •Consultant Criteria •Sr. Mgmt. • Integrate risk assessment for security and privacy Support into organization-wide risk assessment  risk •Penalties •Document! assessment for all types of risk • Develop and communicate Risk Profile
Strategies for a risk assessment •Evaluation/ Review • Retain independent consultant that meets Process •Risk Analysis specific criteria: •Steering  Determine qualifications of individuals Committee performing review •Governance •Metrics/  Ask questions to ascertain if consultants Scoreboard possess “hands on” experience •Risk/Threats •Integrated  Do reports summarize data or provide noted Assessment gaps analysis? •Risk Profile  Does the consultant provide a “to do list” based •Consultant upon the audit results, mapping a path for the Criteria •Sr. Mgmt. organization to follow or is it buried in the Support summary? •Penalties  Do you understand the results and have •Document! support from the organization to resolve issues identified?
Strategies for a Risk Assessment •Evaluation/ Review • Elicit support from senior management to Process provide adequate resources to address areas •Risk Analysis •Steering of identified risks Committee •Governance •Metrics/ • Note: Organizations that ignore findings are Scoreboard •Risk/Threats subject to increased penalties! •Integrated Assessment •Risk Profile • Documentation and retention of action plans •Consultant and follow-up is key to surviving and resolving Criteria audits and investigations. •Sr. Mgmt. Support •Penalties •Document!
Successful information risk management program 1. Organizing for performance 2. Assessing risk 3. Decision analysis 4. Policy implementation 5. Measuring program effectiveness 6. Repeat steps 2-5, adjust the organization defined in step 1 to evolving business requirements
Risk Management Process: Detail Step 1. Assess Risk Step 3. Policy Implementation Identify and prioritize risks to the Policy implementation. Acquisition and deployment of business. controls to carry out the policy. a. Plan data gathering. a. Ensure policy specifications are enforceable. b. Gather risk data. b. Integrate process automation, people, and technology in c. Prioritize risks. the mitigation solution. c. Defense in depth – coordinate application, system, data, Step 2. Decision Analysis and network controls. Evaluate requirements, understand d. Communicate policies and control responsibilities possible solutions, select controls, throughout the organization. estimate costs, and choose the most effective mitigation strategy. Step 4. Measure Effectiveness a. Define functional requirements to Develop and disseminate reports. Provide management a mitigate risks. dashboard of program effectiveness. b. Outline possible control solutions. a. Management dashboard that summarizes organization’s c. Estimate risk reduction. risk profile. d. Estimate solution cost. b. Report on changes under consideration and underway. e. Choose mitigation strategy. c. Communicate effectiveness of the control solutions in mitigating risk. d. Report on existing environment in terms of threats, vulnerabilities and risk profile.
HIPAA Audit Scope Attributions
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security

Recomendados

HIPAA Security Audits in 2012-What to Expect. Are You Ready?
HIPAA Security Audits in 2012-What to Expect. Are You Ready?HIPAA Security Audits in 2012-What to Expect. Are You Ready?
HIPAA Security Audits in 2012-What to Expect. Are You Ready?Redspin, Inc.
 
Redspin Webinar Business Associate Risk
Redspin Webinar Business Associate RiskRedspin Webinar Business Associate Risk
Redspin Webinar Business Associate RiskRedspin, Inc.
 
HIPAA Security Risk Analysis for Business Associates
HIPAA Security Risk Analysis for Business AssociatesHIPAA Security Risk Analysis for Business Associates
HIPAA Security Risk Analysis for Business AssociatesRedspin, Inc.
 
Redspin PHI Breach Report 2012
Redspin PHI Breach Report 2012Redspin PHI Breach Report 2012
Redspin PHI Breach Report 2012Redspin, Inc.
 
HIPAA Security Trends and Future Expectations
HIPAA Security Trends and Future ExpectationsHIPAA Security Trends and Future Expectations
HIPAA Security Trends and Future ExpectationsPYA, P.C.
 
Guide to hipaa compliance for containers
Guide to hipaa compliance for containersGuide to hipaa compliance for containers
Guide to hipaa compliance for containersAbhishek Sood
 
What Is Security Risk Analysis? By: MedSafe
What Is Security Risk Analysis? By: MedSafeWhat Is Security Risk Analysis? By: MedSafe
What Is Security Risk Analysis? By: MedSafeMedSafe
 
HIPAA compliance tuneup 2016
HIPAA compliance tuneup 2016HIPAA compliance tuneup 2016
HIPAA compliance tuneup 2016Compliancy Group
 

Recomendados

HIPAA Security Audits in 2012-What to Expect. Are You Ready?
HIPAA Security Audits in 2012-What to Expect. Are You Ready?HIPAA Security Audits in 2012-What to Expect. Are You Ready?
HIPAA Security Audits in 2012-What to Expect. Are You Ready?Redspin, Inc.
 
Redspin Webinar Business Associate Risk
Redspin Webinar Business Associate RiskRedspin Webinar Business Associate Risk
Redspin Webinar Business Associate RiskRedspin, Inc.
 
HIPAA Security Risk Analysis for Business Associates
HIPAA Security Risk Analysis for Business AssociatesHIPAA Security Risk Analysis for Business Associates
HIPAA Security Risk Analysis for Business AssociatesRedspin, Inc.
 
Redspin PHI Breach Report 2012
Redspin PHI Breach Report 2012Redspin PHI Breach Report 2012
Redspin PHI Breach Report 2012Redspin, Inc.
 
HIPAA Security Trends and Future Expectations
HIPAA Security Trends and Future ExpectationsHIPAA Security Trends and Future Expectations
HIPAA Security Trends and Future ExpectationsPYA, P.C.
 
Guide to hipaa compliance for containers
Guide to hipaa compliance for containersGuide to hipaa compliance for containers
Guide to hipaa compliance for containersAbhishek Sood
 
What Is Security Risk Analysis? By: MedSafe
What Is Security Risk Analysis? By: MedSafeWhat Is Security Risk Analysis? By: MedSafe
What Is Security Risk Analysis? By: MedSafeMedSafe
 
HIPAA compliance tuneup 2016
HIPAA compliance tuneup 2016HIPAA compliance tuneup 2016
HIPAA compliance tuneup 2016Compliancy Group
 
Assessing Your Hosting Environment for HIPAA Compliance
Assessing Your Hosting Environment for HIPAA ComplianceAssessing Your Hosting Environment for HIPAA Compliance
Assessing Your Hosting Environment for HIPAA ComplianceHostway|HOSTING
 
HIPAA compliance for Business Associates- The value of compliance, how to acq...
HIPAA compliance for Business Associates- The value of compliance, how to acq...HIPAA compliance for Business Associates- The value of compliance, how to acq...
HIPAA compliance for Business Associates- The value of compliance, how to acq...Compliancy Group
 
Dental Compliance for Dentists and Business Associates
Dental Compliance for Dentists and Business AssociatesDental Compliance for Dentists and Business Associates
Dental Compliance for Dentists and Business Associatesgppcpa
 
The Startup Path to HIPAA Compliance
The Startup Path to HIPAA ComplianceThe Startup Path to HIPAA Compliance
The Startup Path to HIPAA ComplianceJim Anfield
 
How to safeguard ePHIi in the cloud
How to safeguard ePHIi in the cloud How to safeguard ePHIi in the cloud
How to safeguard ePHIi in the cloud Compliancy Group
 
You and HIPAA - Get the Facts
You and HIPAA - Get the FactsYou and HIPAA - Get the Facts
You and HIPAA - Get the Factsresourceone
 
Assuring regulatory compliance, ePHI protection, and secure healthcare delivery
Assuring regulatory compliance, ePHI protection, and secure healthcare deliveryAssuring regulatory compliance, ePHI protection, and secure healthcare delivery
Assuring regulatory compliance, ePHI protection, and secure healthcare deliveryTrend Micro
 
Role-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
Role-Based Access Governance and HIPAA Compliance: A Pragmatic ApproachRole-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
Role-Based Access Governance and HIPAA Compliance: A Pragmatic ApproachEMC
 
MichBIO_-_HIPAA__Industry-Provider_Interactions__and_Related_Compliance_Matte...
MichBIO_-_HIPAA__Industry-Provider_Interactions__and_Related_Compliance_Matte...MichBIO_-_HIPAA__Industry-Provider_Interactions__and_Related_Compliance_Matte...
MichBIO_-_HIPAA__Industry-Provider_Interactions__and_Related_Compliance_Matte...Colin Zick
 
HHS Issues HIPAA Cyber Attack Response Checklist
HHS Issues HIPAA Cyber Attack Response ChecklistHHS Issues HIPAA Cyber Attack Response Checklist
HHS Issues HIPAA Cyber Attack Response ChecklistTodd LaRue
 
The Intersection of OCR Enforcement and Health Care Data Privacy & Security
The Intersection of OCR Enforcement and Health Care Data Privacy & SecurityThe Intersection of OCR Enforcement and Health Care Data Privacy & Security
The Intersection of OCR Enforcement and Health Care Data Privacy & SecurityPolsinelli PC
 
Data Security and Regulatory Compliance
Data Security and Regulatory ComplianceData Security and Regulatory Compliance
Data Security and Regulatory ComplianceLifeline Data Centers
 
The Most Wonderful Time of the Year for Health-IT...NOT
The Most Wonderful Time of the Year for Health-IT...NOTThe Most Wonderful Time of the Year for Health-IT...NOT
The Most Wonderful Time of the Year for Health-IT...NOTCompliancy Group
 
Brian Balow HIPAA Final Rule
Brian Balow HIPAA Final RuleBrian Balow HIPAA Final Rule
Brian Balow HIPAA Final Rulemihinpr
 
A brief introduction to hipaa compliance
A brief introduction to hipaa complianceA brief introduction to hipaa compliance
A brief introduction to hipaa compliancePrince George
 
Hi paa and eh rs
Hi paa and eh rsHi paa and eh rs
Hi paa and eh rssupportc2go
 
HIPAA Basic Healthcare Guide
HIPAA Basic Healthcare GuideHIPAA Basic Healthcare Guide
HIPAA Basic Healthcare GuideWirehead Technology
 
The HIPAA Security Rule: Yes, It's Your Problem
The HIPAA Security Rule: Yes, It's Your ProblemThe HIPAA Security Rule: Yes, It's Your Problem
The HIPAA Security Rule: Yes, It's Your ProblemSecurityMetrics
 
Cloud computing and hipaa navigating and mitigating the inevitable data breach
Cloud computing and hipaa navigating and mitigating the inevitable data breachCloud computing and hipaa navigating and mitigating the inevitable data breach
Cloud computing and hipaa navigating and mitigating the inevitable data breachPolsinelli PC
 
HIPAA Compliance and Security in a Mobile World
HIPAA Compliance and Security in a Mobile WorldHIPAA Compliance and Security in a Mobile World
HIPAA Compliance and Security in a Mobile WorldRyan Snell
 
HealthCare Compliance - HIPAA & HITRUST
HealthCare Compliance - HIPAA & HITRUSTHealthCare Compliance - HIPAA & HITRUST
HealthCare Compliance - HIPAA & HITRUSTKimberly Simon MBA
 
Health care compliance webinar may 10 2017
Health care compliance webinar may 10 2017Health care compliance webinar may 10 2017
Health care compliance webinar may 10 2017Kimberly Simon MBA
 

Mais conteúdo relacionado

Mais procurados

Assessing Your Hosting Environment for HIPAA Compliance
Assessing Your Hosting Environment for HIPAA ComplianceAssessing Your Hosting Environment for HIPAA Compliance
Assessing Your Hosting Environment for HIPAA ComplianceHostway|HOSTING
 
HIPAA compliance for Business Associates- The value of compliance, how to acq...
HIPAA compliance for Business Associates- The value of compliance, how to acq...HIPAA compliance for Business Associates- The value of compliance, how to acq...
HIPAA compliance for Business Associates- The value of compliance, how to acq...Compliancy Group
 
Dental Compliance for Dentists and Business Associates
Dental Compliance for Dentists and Business AssociatesDental Compliance for Dentists and Business Associates
Dental Compliance for Dentists and Business Associatesgppcpa
 
The Startup Path to HIPAA Compliance
The Startup Path to HIPAA ComplianceThe Startup Path to HIPAA Compliance
The Startup Path to HIPAA ComplianceJim Anfield
 
How to safeguard ePHIi in the cloud
How to safeguard ePHIi in the cloud How to safeguard ePHIi in the cloud
How to safeguard ePHIi in the cloud Compliancy Group
 
You and HIPAA - Get the Facts
You and HIPAA - Get the FactsYou and HIPAA - Get the Facts
You and HIPAA - Get the Factsresourceone
 
Assuring regulatory compliance, ePHI protection, and secure healthcare delivery
Assuring regulatory compliance, ePHI protection, and secure healthcare deliveryAssuring regulatory compliance, ePHI protection, and secure healthcare delivery
Assuring regulatory compliance, ePHI protection, and secure healthcare deliveryTrend Micro
 
Role-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
Role-Based Access Governance and HIPAA Compliance: A Pragmatic ApproachRole-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
Role-Based Access Governance and HIPAA Compliance: A Pragmatic ApproachEMC
 
MichBIO_-_HIPAA__Industry-Provider_Interactions__and_Related_Compliance_Matte...
MichBIO_-_HIPAA__Industry-Provider_Interactions__and_Related_Compliance_Matte...MichBIO_-_HIPAA__Industry-Provider_Interactions__and_Related_Compliance_Matte...
MichBIO_-_HIPAA__Industry-Provider_Interactions__and_Related_Compliance_Matte...Colin Zick
 
HHS Issues HIPAA Cyber Attack Response Checklist
HHS Issues HIPAA Cyber Attack Response ChecklistHHS Issues HIPAA Cyber Attack Response Checklist
HHS Issues HIPAA Cyber Attack Response ChecklistTodd LaRue
 
The Intersection of OCR Enforcement and Health Care Data Privacy & Security
The Intersection of OCR Enforcement and Health Care Data Privacy & SecurityThe Intersection of OCR Enforcement and Health Care Data Privacy & Security
The Intersection of OCR Enforcement and Health Care Data Privacy & SecurityPolsinelli PC
 
Data Security and Regulatory Compliance
Data Security and Regulatory ComplianceData Security and Regulatory Compliance
Data Security and Regulatory ComplianceLifeline Data Centers
 
The Most Wonderful Time of the Year for Health-IT...NOT
The Most Wonderful Time of the Year for Health-IT...NOTThe Most Wonderful Time of the Year for Health-IT...NOT
The Most Wonderful Time of the Year for Health-IT...NOTCompliancy Group
 
Brian Balow HIPAA Final Rule
Brian Balow HIPAA Final RuleBrian Balow HIPAA Final Rule
Brian Balow HIPAA Final Rulemihinpr
 
A brief introduction to hipaa compliance
A brief introduction to hipaa complianceA brief introduction to hipaa compliance
A brief introduction to hipaa compliancePrince George
 
Hi paa and eh rs
Hi paa and eh rsHi paa and eh rs
Hi paa and eh rssupportc2go
 
The HIPAA Security Rule: Yes, It's Your Problem
The HIPAA Security Rule: Yes, It's Your ProblemThe HIPAA Security Rule: Yes, It's Your Problem
The HIPAA Security Rule: Yes, It's Your ProblemSecurityMetrics
 
Cloud computing and hipaa navigating and mitigating the inevitable data breach
Cloud computing and hipaa navigating and mitigating the inevitable data breachCloud computing and hipaa navigating and mitigating the inevitable data breach
Cloud computing and hipaa navigating and mitigating the inevitable data breachPolsinelli PC
 
HIPAA Compliance and Security in a Mobile World
HIPAA Compliance and Security in a Mobile WorldHIPAA Compliance and Security in a Mobile World
HIPAA Compliance and Security in a Mobile WorldRyan Snell
 

Mais procurados (20)

Assessing Your Hosting Environment for HIPAA Compliance
Assessing Your Hosting Environment for HIPAA ComplianceAssessing Your Hosting Environment for HIPAA Compliance
Assessing Your Hosting Environment for HIPAA Compliance
 
HIPAA compliance for Business Associates- The value of compliance, how to acq...
HIPAA compliance for Business Associates- The value of compliance, how to acq...HIPAA compliance for Business Associates- The value of compliance, how to acq...
HIPAA compliance for Business Associates- The value of compliance, how to acq...
 
Dental Compliance for Dentists and Business Associates
Dental Compliance for Dentists and Business AssociatesDental Compliance for Dentists and Business Associates
Dental Compliance for Dentists and Business Associates
 
The Startup Path to HIPAA Compliance
The Startup Path to HIPAA ComplianceThe Startup Path to HIPAA Compliance
The Startup Path to HIPAA Compliance
 
How to safeguard ePHIi in the cloud
How to safeguard ePHIi in the cloud How to safeguard ePHIi in the cloud
How to safeguard ePHIi in the cloud
 
You and HIPAA - Get the Facts
You and HIPAA - Get the FactsYou and HIPAA - Get the Facts
You and HIPAA - Get the Facts
 
Assuring regulatory compliance, ePHI protection, and secure healthcare delivery
Assuring regulatory compliance, ePHI protection, and secure healthcare deliveryAssuring regulatory compliance, ePHI protection, and secure healthcare delivery
Assuring regulatory compliance, ePHI protection, and secure healthcare delivery
 
Role-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
Role-Based Access Governance and HIPAA Compliance: A Pragmatic ApproachRole-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
Role-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
 
MichBIO_-_HIPAA__Industry-Provider_Interactions__and_Related_Compliance_Matte...
MichBIO_-_HIPAA__Industry-Provider_Interactions__and_Related_Compliance_Matte...MichBIO_-_HIPAA__Industry-Provider_Interactions__and_Related_Compliance_Matte...
MichBIO_-_HIPAA__Industry-Provider_Interactions__and_Related_Compliance_Matte...
 
HHS Issues HIPAA Cyber Attack Response Checklist
HHS Issues HIPAA Cyber Attack Response ChecklistHHS Issues HIPAA Cyber Attack Response Checklist
HHS Issues HIPAA Cyber Attack Response Checklist
 
The Intersection of OCR Enforcement and Health Care Data Privacy & Security
The Intersection of OCR Enforcement and Health Care Data Privacy & SecurityThe Intersection of OCR Enforcement and Health Care Data Privacy & Security
The Intersection of OCR Enforcement and Health Care Data Privacy & Security
 
Data Security and Regulatory Compliance
Data Security and Regulatory ComplianceData Security and Regulatory Compliance
Data Security and Regulatory Compliance
 
The Most Wonderful Time of the Year for Health-IT...NOT
The Most Wonderful Time of the Year for Health-IT...NOTThe Most Wonderful Time of the Year for Health-IT...NOT
The Most Wonderful Time of the Year for Health-IT...NOT
 
Brian Balow HIPAA Final Rule
Brian Balow HIPAA Final RuleBrian Balow HIPAA Final Rule
Brian Balow HIPAA Final Rule
 
A brief introduction to hipaa compliance
A brief introduction to hipaa complianceA brief introduction to hipaa compliance
A brief introduction to hipaa compliance
 
Hi paa and eh rs
Hi paa and eh rsHi paa and eh rs
Hi paa and eh rs
 
HIPAA Basic Healthcare Guide
HIPAA Basic Healthcare GuideHIPAA Basic Healthcare Guide
HIPAA Basic Healthcare Guide
 
The HIPAA Security Rule: Yes, It's Your Problem
The HIPAA Security Rule: Yes, It's Your ProblemThe HIPAA Security Rule: Yes, It's Your Problem
The HIPAA Security Rule: Yes, It's Your Problem
 
Cloud computing and hipaa navigating and mitigating the inevitable data breach
Cloud computing and hipaa navigating and mitigating the inevitable data breachCloud computing and hipaa navigating and mitigating the inevitable data breach
Cloud computing and hipaa navigating and mitigating the inevitable data breach
 
HIPAA Compliance and Security in a Mobile World
HIPAA Compliance and Security in a Mobile WorldHIPAA Compliance and Security in a Mobile World
HIPAA Compliance and Security in a Mobile World
 

Semelhante a Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security

HealthCare Compliance - HIPAA & HITRUST
HealthCare Compliance - HIPAA & HITRUSTHealthCare Compliance - HIPAA & HITRUST
HealthCare Compliance - HIPAA & HITRUSTKimberly Simon MBA
 
Health care compliance webinar may 10 2017
Health care compliance webinar may 10 2017Health care compliance webinar may 10 2017
Health care compliance webinar may 10 2017Kimberly Simon MBA
 
HealthCare Compliance - HIPAA and HITRUST
HealthCare Compliance - HIPAA and HITRUSTHealthCare Compliance - HIPAA and HITRUST
HealthCare Compliance - HIPAA and HITRUSTKimberly Simon MBA
 
Mbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk AssessmentMbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk AssessmentMBMeHealthCareSolutions
 
Business Associates: How to become HIPAA compliant, increase revenue, and gai...
Business Associates: How to become HIPAA compliant, increase revenue, and gai...Business Associates: How to become HIPAA compliant, increase revenue, and gai...
Business Associates: How to become HIPAA compliant, increase revenue, and gai...Compliancy Group
 
Becoming HITECH - 9/2009
Becoming HITECH - 9/2009Becoming HITECH - 9/2009
Becoming HITECH - 9/2009rogersons
 
Healthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUSTHealthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUSTControlCase
 
Hi paa and eh rs
Hi paa and eh rsHi paa and eh rs
Hi paa and eh rssupportc2go
 
Health Insurance Portability and Accountability Act (HIPAA) Compliance
Health Insurance Portability and Accountability Act (HIPAA) ComplianceHealth Insurance Portability and Accountability Act (HIPAA) Compliance
Health Insurance Portability and Accountability Act (HIPAA) ComplianceControlCase
 
Avior Healthcare Security Compliance Webcast Final1
Avior Healthcare Security Compliance Webcast Final1Avior Healthcare Security Compliance Webcast Final1
Avior Healthcare Security Compliance Webcast Final1jhietala
 
HIPAA 101- What all Doctors NEED to know
HIPAA 101- What all Doctors NEED to knowHIPAA 101- What all Doctors NEED to know
HIPAA 101- What all Doctors NEED to knowCompliancy Group
 
Keynote Presentation "Building a Culture of Privacy and Security into Your Or...
Keynote Presentation "Building a Culture of Privacy and Security into Your Or...Keynote Presentation "Building a Culture of Privacy and Security into Your Or...
Keynote Presentation "Building a Culture of Privacy and Security into Your Or...Health IT Conference – iHT2
 
HIPAA/HITECH Requirements for FQHCs and the New Omnibus Rule
HIPAA/HITECH Requirements for FQHCs and the New Omnibus RuleHIPAA/HITECH Requirements for FQHCs and the New Omnibus Rule
HIPAA/HITECH Requirements for FQHCs and the New Omnibus RuleMichigan Primary Care Association
 
PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...
PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...
PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...eringold
 
E Healthcare Systems Hb Emr Prep Pp
E Healthcare Systems Hb Emr Prep PpE Healthcare Systems Hb Emr Prep Pp
E Healthcare Systems Hb Emr Prep Pphunterberney
 
Hipaa audits and enforcement
Hipaa audits and enforcementHipaa audits and enforcement
Hipaa audits and enforcementsupportc2go
 
Maninging Risk Exposure in Meaningful Use Stage 2
Maninging Risk Exposure in Meaningful Use Stage 2Maninging Risk Exposure in Meaningful Use Stage 2
Maninging Risk Exposure in Meaningful Use Stage 2Compliancy Group
 
HIPAA Compliance for Developers
HIPAA Compliance for DevelopersHIPAA Compliance for Developers
HIPAA Compliance for DevelopersTrueVault
 

Semelhante a Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security (20)

HealthCare Compliance - HIPAA & HITRUST
HealthCare Compliance - HIPAA & HITRUSTHealthCare Compliance - HIPAA & HITRUST
HealthCare Compliance - HIPAA & HITRUST
 
Health care compliance webinar may 10 2017
Health care compliance webinar may 10 2017Health care compliance webinar may 10 2017
Health care compliance webinar may 10 2017
 
HealthCare Compliance - HIPAA and HITRUST
HealthCare Compliance - HIPAA and HITRUSTHealthCare Compliance - HIPAA and HITRUST
HealthCare Compliance - HIPAA and HITRUST
 
Mbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk AssessmentMbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk Assessment
 
Business Associates: How to become HIPAA compliant, increase revenue, and gai...
Business Associates: How to become HIPAA compliant, increase revenue, and gai...Business Associates: How to become HIPAA compliant, increase revenue, and gai...
Business Associates: How to become HIPAA compliant, increase revenue, and gai...
 
Becoming HITECH - 9/2009
Becoming HITECH - 9/2009Becoming HITECH - 9/2009
Becoming HITECH - 9/2009
 
Healthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUSTHealthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUST
 
Hi paa and eh rs
Hi paa and eh rsHi paa and eh rs
Hi paa and eh rs
 
Health Insurance Portability and Accountability Act (HIPAA) Compliance
Health Insurance Portability and Accountability Act (HIPAA) ComplianceHealth Insurance Portability and Accountability Act (HIPAA) Compliance
Health Insurance Portability and Accountability Act (HIPAA) Compliance
 
Avior Healthcare Security Compliance Webcast Final1
Avior Healthcare Security Compliance Webcast Final1Avior Healthcare Security Compliance Webcast Final1
Avior Healthcare Security Compliance Webcast Final1
 
HIPAA 101- What all Doctors NEED to know
HIPAA 101- What all Doctors NEED to knowHIPAA 101- What all Doctors NEED to know
HIPAA 101- What all Doctors NEED to know
 
Keynote Presentation "Building a Culture of Privacy and Security into Your Or...
Keynote Presentation "Building a Culture of Privacy and Security into Your Or...Keynote Presentation "Building a Culture of Privacy and Security into Your Or...
Keynote Presentation "Building a Culture of Privacy and Security into Your Or...
 
HIPAA/HITECH Requirements for FQHCs and the New Omnibus Rule
HIPAA/HITECH Requirements for FQHCs and the New Omnibus RuleHIPAA/HITECH Requirements for FQHCs and the New Omnibus Rule
HIPAA/HITECH Requirements for FQHCs and the New Omnibus Rule
 
PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...
PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...
PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...
 
E Healthcare Systems Hb Emr Prep Pp
E Healthcare Systems Hb Emr Prep PpE Healthcare Systems Hb Emr Prep Pp
E Healthcare Systems Hb Emr Prep Pp
 
Hb Emr
Hb EmrHb Emr
Hb Emr
 
Hipaa audits and enforcement
Hipaa audits and enforcementHipaa audits and enforcement
Hipaa audits and enforcement
 
Maninging Risk Exposure in Meaningful Use Stage 2
Maninging Risk Exposure in Meaningful Use Stage 2Maninging Risk Exposure in Meaningful Use Stage 2
Maninging Risk Exposure in Meaningful Use Stage 2
 
HIPAA Compliance for Developers
HIPAA Compliance for DevelopersHIPAA Compliance for Developers
HIPAA Compliance for Developers
 
HIPAA Security 2019
HIPAA Security 2019HIPAA Security 2019
HIPAA Security 2019
 

Mais de Redspin, Inc.

HIPAA Enforcement Heats Up in the Coldest State
HIPAA Enforcement Heats Up in the Coldest StateHIPAA Enforcement Heats Up in the Coldest State
HIPAA Enforcement Heats Up in the Coldest StateRedspin, Inc.
 
Official HIPAA Compliance Audit Protocol Published
Official HIPAA Compliance Audit Protocol PublishedOfficial HIPAA Compliance Audit Protocol Published
Official HIPAA Compliance Audit Protocol PublishedRedspin, Inc.
 
Stage 2 Meaningful Use Debuts in Las Vegas (Finally!)
Stage 2 Meaningful Use Debuts in Las Vegas (Finally!)Stage 2 Meaningful Use Debuts in Las Vegas (Finally!)
Stage 2 Meaningful Use Debuts in Las Vegas (Finally!)Redspin, Inc.
 
Healthcare IT Security Who's Responsible, Really?
Healthcare IT Security Who's Responsible, Really?Healthcare IT Security Who's Responsible, Really?
Healthcare IT Security Who's Responsible, Really?Redspin, Inc.
 
Healthcare IT Security - Who's responsible, really?
Healthcare IT Security - Who's responsible, really?Healthcare IT Security - Who's responsible, really?
Healthcare IT Security - Who's responsible, really?Redspin, Inc.
 
Redspin Webinar - Prepare for a HIPAA Security Risk Analysis
Redspin Webinar - Prepare for a HIPAA Security Risk AnalysisRedspin Webinar - Prepare for a HIPAA Security Risk Analysis
Redspin Webinar - Prepare for a HIPAA Security Risk AnalysisRedspin, Inc.
 
Redspin HIPAA Security Risk Analysis RFP Template
Redspin HIPAA Security Risk Analysis RFP TemplateRedspin HIPAA Security Risk Analysis RFP Template
Redspin HIPAA Security Risk Analysis RFP TemplateRedspin, Inc.
 
Mobile Device Security Policy
Mobile Device Security PolicyMobile Device Security Policy
Mobile Device Security PolicyRedspin, Inc.
 
Financial institution security top it security risk
Financial institution security top it security riskFinancial institution security top it security risk
Financial institution security top it security riskRedspin, Inc.
 
Managing Windows User Accounts via the Commandline
Managing Windows User Accounts via the CommandlineManaging Windows User Accounts via the Commandline
Managing Windows User Accounts via the CommandlineRedspin, Inc.
 
Redspin February 17 2011 Webinar - Meaningful Use
Redspin February 17 2011 Webinar - Meaningful UseRedspin February 17 2011 Webinar - Meaningful Use
Redspin February 17 2011 Webinar - Meaningful UseRedspin, Inc.
 
Redspin Report - Protected Health Information 2010 Breach Report
Redspin Report - Protected Health Information 2010 Breach ReportRedspin Report - Protected Health Information 2010 Breach Report
Redspin Report - Protected Health Information 2010 Breach ReportRedspin, Inc.
 
Email hacking husband faces felony
Email hacking husband faces felonyEmail hacking husband faces felony
Email hacking husband faces felonyRedspin, Inc.
 
Meaningful use, risk analysis and protecting electronic health information
Meaningful use, risk analysis and protecting electronic health informationMeaningful use, risk analysis and protecting electronic health information
Meaningful use, risk analysis and protecting electronic health informationRedspin, Inc.
 
Understanding the Experian independent third party assessment (EI3PA ) requir...
Understanding the Experian independent third party assessment (EI3PA ) requir...Understanding the Experian independent third party assessment (EI3PA ) requir...
Understanding the Experian independent third party assessment (EI3PA ) requir...Redspin, Inc.
 
Top 10 IT Security Issues 2011
Top 10 IT Security Issues 2011Top 10 IT Security Issues 2011
Top 10 IT Security Issues 2011Redspin, Inc.
 
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David ShawBeginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David ShawRedspin, Inc.
 
Ensuring Security and Privacy in the HIE Market - Redspin Information Security
Ensuring Security and Privacy in the HIE Market - Redspin Information SecurityEnsuring Security and Privacy in the HIE Market - Redspin Information Security
Ensuring Security and Privacy in the HIE Market - Redspin Information SecurityRedspin, Inc.
 
Mapping Application Security to Business Value - Redspin Information Security
Mapping Application Security to Business Value - Redspin Information SecurityMapping Application Security to Business Value - Redspin Information Security
Mapping Application Security to Business Value - Redspin Information SecurityRedspin, Inc.
 
Step by Step Guide to Healthcare IT Security Risk Management - Redspin Infor...
Step by Step Guide to Healthcare IT Security Risk Management - Redspin Infor...Step by Step Guide to Healthcare IT Security Risk Management - Redspin Infor...
Step by Step Guide to Healthcare IT Security Risk Management - Redspin Infor...Redspin, Inc.
 

Mais de Redspin, Inc. (20)

HIPAA Enforcement Heats Up in the Coldest State
HIPAA Enforcement Heats Up in the Coldest StateHIPAA Enforcement Heats Up in the Coldest State
HIPAA Enforcement Heats Up in the Coldest State
 
Official HIPAA Compliance Audit Protocol Published
Official HIPAA Compliance Audit Protocol PublishedOfficial HIPAA Compliance Audit Protocol Published
Official HIPAA Compliance Audit Protocol Published
 
Stage 2 Meaningful Use Debuts in Las Vegas (Finally!)
Stage 2 Meaningful Use Debuts in Las Vegas (Finally!)Stage 2 Meaningful Use Debuts in Las Vegas (Finally!)
Stage 2 Meaningful Use Debuts in Las Vegas (Finally!)
 
Healthcare IT Security Who's Responsible, Really?
Healthcare IT Security Who's Responsible, Really?Healthcare IT Security Who's Responsible, Really?
Healthcare IT Security Who's Responsible, Really?
 
Healthcare IT Security - Who's responsible, really?
Healthcare IT Security - Who's responsible, really?Healthcare IT Security - Who's responsible, really?
Healthcare IT Security - Who's responsible, really?
 
Redspin Webinar - Prepare for a HIPAA Security Risk Analysis
Redspin Webinar - Prepare for a HIPAA Security Risk AnalysisRedspin Webinar - Prepare for a HIPAA Security Risk Analysis
Redspin Webinar - Prepare for a HIPAA Security Risk Analysis
 
Redspin HIPAA Security Risk Analysis RFP Template
Redspin HIPAA Security Risk Analysis RFP TemplateRedspin HIPAA Security Risk Analysis RFP Template
Redspin HIPAA Security Risk Analysis RFP Template
 
Mobile Device Security Policy
Mobile Device Security PolicyMobile Device Security Policy
Mobile Device Security Policy
 
Financial institution security top it security risk
Financial institution security top it security riskFinancial institution security top it security risk
Financial institution security top it security risk
 
Managing Windows User Accounts via the Commandline
Managing Windows User Accounts via the CommandlineManaging Windows User Accounts via the Commandline
Managing Windows User Accounts via the Commandline
 
Redspin February 17 2011 Webinar - Meaningful Use
Redspin February 17 2011 Webinar - Meaningful UseRedspin February 17 2011 Webinar - Meaningful Use
Redspin February 17 2011 Webinar - Meaningful Use
 
Redspin Report - Protected Health Information 2010 Breach Report
Redspin Report - Protected Health Information 2010 Breach ReportRedspin Report - Protected Health Information 2010 Breach Report
Redspin Report - Protected Health Information 2010 Breach Report
 
Email hacking husband faces felony
Email hacking husband faces felonyEmail hacking husband faces felony
Email hacking husband faces felony
 
Meaningful use, risk analysis and protecting electronic health information
Meaningful use, risk analysis and protecting electronic health informationMeaningful use, risk analysis and protecting electronic health information
Meaningful use, risk analysis and protecting electronic health information
 
Understanding the Experian independent third party assessment (EI3PA ) requir...
Understanding the Experian independent third party assessment (EI3PA ) requir...Understanding the Experian independent third party assessment (EI3PA ) requir...
Understanding the Experian independent third party assessment (EI3PA ) requir...
 
Top 10 IT Security Issues 2011
Top 10 IT Security Issues 2011Top 10 IT Security Issues 2011
Top 10 IT Security Issues 2011
 
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David ShawBeginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
 
Ensuring Security and Privacy in the HIE Market - Redspin Information Security
Ensuring Security and Privacy in the HIE Market - Redspin Information SecurityEnsuring Security and Privacy in the HIE Market - Redspin Information Security
Ensuring Security and Privacy in the HIE Market - Redspin Information Security
 
Mapping Application Security to Business Value - Redspin Information Security
Mapping Application Security to Business Value - Redspin Information SecurityMapping Application Security to Business Value - Redspin Information Security
Mapping Application Security to Business Value - Redspin Information Security
 
Step by Step Guide to Healthcare IT Security Risk Management - Redspin Infor...
Step by Step Guide to Healthcare IT Security Risk Management - Redspin Infor...Step by Step Guide to Healthcare IT Security Risk Management - Redspin Infor...
Step by Step Guide to Healthcare IT Security Risk Management - Redspin Infor...
 

Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security

  • 1. HIPAA & HITECH Requirements, Compliance, and Meaningful Use We know it’s confusing. Let’s focus on what you need to know! Information Security Assessments “We Take Your Security Personally” Phyllis Patrick, MBA, FACHE, CHC Dan Berger, Executive Vice President Phyllis A. Patrick and Associates LLC Redspin, Inc. Phyllis@phyllispatrick.com dberger@redspin.com
  • 2. Agenda - New Era in Health IT – What it means to you - Risk Assessment Strategies and Components - Effective Security Process - Meaningful Use and how to get incentive $ - Practical Example –Case Study
  • 3. New Era in Health IT – New Regulations and Initiatives – Incentive Funding (Medicare & Medicaid) – New Consumer and Patient Issues
  • 4. New Programs EHRs • Electronic Health Records HIEs • Health Information Exchanges RECs • Regional Extension Centers EHRs • Achieving meaningful use of certified EHRs
  • 5. Privacy and Security Policies and Programs • Privacy as a Patient Satisfaction Issue • Synergy with Quality and Safety Programs • Right of Private Action/State AG Activities – New Regulations and Initiatives – Incentive Funding (Medicare & Medicaid) – New Consumer and Patient Issues
  • 6. The ONC Mandate Americans will benefit from electronic health records as “part of a modernized, interconnected, and vastly improved system of care delivery.”
  • 7. ONC Mandate and Initiatives • Temporary Certification Program • Standards and Certification Criteria Final Rule • Medicare and Medicaid EHR Incentive Programs • Meaningful Use of EHRs Final Rule • Certified Health IT Product List
  • 8. New Federal Regulations – Meaningful Use of Electronic Health Records (Final Rule) – Medicare and Medicaid Incentive Programs – Certification Process/Criteria – Certification Standards – HITECH Amendments to HIPAA – Breach Notification Requirements
  • 9. What are the Rules?
  • 10. Security Laws – Fair and Accurate Credit Transaction Act (FACTA), including Red Flags Rule – Title 21 of the Code of Federal Regulations (21 CFR Part 11) Electronic Records – Patient Safety and Quality Improvement Act (PSQIA, Patient Safety Rule) – Family Educational Rights and Privacy Act (FERPA) – Payment Card Industry Data Security Standard (PCI DSS) – State Breach Notification, Social Security Numbers, Data Protection, and other laws – Children’s Online Privacy Protection Act – Federal Information Security Management Act (FISMA) – H.R. 2868: The Chemical Facility Anti-Terrorism Standards Regulation – Encryption Laws (e.g., State laws) – Sarbanes-Oxley Act (Public Companies) – Gramm-Leach-Bliley Act (Financial Services) – And more………
  • 11. Some rules haven’t changed – Have you fully implemented the HIPAA Security Rule?
  • 12. The HIPAA Security Rule – Compliance Date: April, 2005 – 42 Standards and Implementation Specifications – Information Security Management Program – Applies to Electronic Protected Health Information (ePHI) that a Covered Entity Creates, Receives, Maintains, or Transmits
  • 13. Security Rule Standards Evaluation Standard Perform a periodic technical and non-technical evaluation, based initially upon the standards and implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which an entity’s security policies and procedures meet the requirements of this subpart.” [§164.308(a)(8)] Related Standards Security Management Process §164.308(a)(1)(i) Risk Analysis §164.308(a)(1)(ii)(A) Risk Management §164.308(a)(1)(ii)(B) Information System Activity Review §164.308(a)(1)(ii)(D)
  • 14. Consequences of Not Meeting the Requirements
  • 15. New Enforcement Efforts and Priorities HHS made changes to the HIPAA regulations to conform the enforcement component of the regulations to the statutory revisions made pursuant to the HITECH Act. • Civil Monetary Penalties • Violations categorized • Tiered ranges of civil money penalty amounts
  • 16. Penalties – Per Calendar Year $100 - $50K/violation, not to $10K - $50K/violation, not to exceed $25K - $1.5MM exceed $250K - $1.5MM Person did not know (and by Due to willful neglect and exercising reasonable due violation was corrected diligence) would not have known $1,000 - $50K/violation, not At least $50K/violation, not to to exceed $100K - $1.5MM exceed $1.5MM Violation due to reasonable Due to willful neglect and cause and not to willful violation was not corrected neglect
  • 17. GOVERNANCE  Leadership  Organizational Structures  Processes that support the security and privacy programs while supporting and sustaining the organization’s mission and strategic goals  Relationships with Business Associates and 3rd parties
  • 18. Effective Security Program Governance – Involves appropriate organizational personnel – Defines a governance framework or methodology – Enables uniform risk measurement across the organization – Produces quantifiable, meaningful deliverables – Reflects business practices, organizational risk appetites, and changing levels of risk Reference: IT Compliance Institute
  • 19. Business Associates Covered Entity (CE) A health plan, health care clearinghouse, or health care provider who transmits any health information in electronic form in connection with a transaction covered under the HITECH Act Business Associate (BA) Party who performs a function on behalf of a Covered Entity and has access to PHI in the performance of that function
  • 20. Business Associate Compliance Liability: -BAs are contractually liable to CEs for breach of BA agreement Business Associates (BAs): -BAs are civilly and criminally liable - IT vendors to Federal government for violations - coding vendors - outsourced call center - subcontractors Notification: - insurance companies -BA notify CE of any breach - pharmacies -CE has obligation to notify patients - hospitals and HHS - physicians -If 500+ persons, notify media Covered - e-prescribing ecosystem serving their area Entity (CE) - CPOE - radiology labs - HIEs Recommendations: - RHIOs -Identify BAs with highest risk - ACOs -Communicate expectations to BAs - lawyers -Automate contract and BA - CPAs agreement files - housekeeping services -Develop auditing and monitoring - etc. !!! process -Educate executives and key players on BAs
  • 22. Components of the Assessment • Governance of the • Education and Training Privacy and Security Programs Programs • Security Breach Notification • Privacy Rule and Security Policy and Procedures Rule Standards • Readiness to meet • Policies and Procedures HITECH/HIPAA requirements • Risk Assessment and RA and Meaningful Use criteria Management • Impacts of Business • Program Infrastructure Partner/Business Associate – Designation of Privacy Relationships and Security Officers • Auditing and Monitoring – Reporting Processes Relationships – Staffing and Resources
  • 23. Strategies for a Risk Assessment • Formal and ongoing evaluation and review process • Periodic Risk Analysis, in particular following significant changes • Senior leader support • Adequate and available resources • Steering committee
  • 24. Strategies for a Risk Assessment • Governance/Reporting/Metrics • Organization-wide Risk Analysis • Communication of Risk Profile • Documentation and Action Plans • Independent Consultants?
  • 25. Show Me the Money How to Access Federal Dollars
  • 26. Eligible Entities – Eligible professionals (EPs) – Eligible hospitals – Critical access hospitals – Certain Medicare Advantage Organizations whose affiliated EPs and hospitals are meaningful users of certified EHR technology
  • 27. What is “Meaningful Use?” • Use of a certified EHR in a meaningful manner (e.g., e-prescribing) • Use of certified EHR technology for electronic exchange of health information to improve quality of health care • Use of certified EHR technology to submit clinical quality and other measures
  • 28. Meaningful Use – Criteria and Standards – Is the practice or hospital is making adequate use of EHRs? – Has a risk analysis been conducted? – Is their a platform for staged implementation? To achieve meaningful use, providers must: – Provide and monitor privacy and security protection of confidential PHI through operating policies, procedures, and technologies – Comply with all applicable federal and state laws and regulations – Provide transparency of data sharing to patients
  • 29. Meaningful Incentive Program Medicare EHR Medicaid EHR  Participation as early as  Voluntarily offered by FY 2011 individual states  EPs may receive up to  May begin as early as FY $44,000 over 5 years, plus 2011 incentive if in HSPA  EPs may receive up to  Must begin by 2012 to get $63,750 over 6 years maximum  Incentives for hospitals may  Incentives for hospitals begin in 2011 may begin in 2011 w/a  No payment adjustment for $2 million base payment providers who do not show  Medicare EPs, hospitals meaningful use and CAHs who do not show meaningful use have payment decrease beginning 2015
  • 30. CMS Meaningful Use Goals  Improve quality, safety, and efficiency of health care and reduce health disparities  Engage patients and families  Improve care coordination  Improve population and public health, and  Ensure adequate privacy and security protections for personal health information
  • 31. .
  • 32.
  • 33. HIPAA/HITECH Compliance What are the objectives of a HIPAA Risk Analysis and Security Assessments? Compliance: a HIPAA Risk Analysis verifies compliance with the standards defined in the Security Rule of the Administrative Provisions in Title II of HIPAA. Security : Utilizes a risk-based approach to minimize the risk of a compromise of Electronic Protected Health Information (EPHI) triggering the breach notification requirements.
  • 34. Some Types of Assessments Wireless Pen Web App External Pen Internal Pen Social Engineering Other possible assessments: Controls - PCI, if credit cards - Sarbanes-Oxley - Gramm-Leach-Bliley Data Network Physical Systems Security Analysis Security Analysis
  • 35. Components of Risk The assets The vulnerabilities (what you are trying to protect is PHI) (how could the threat occur?) • You need to know where it is, how it is used, and • Targeted social engineering attacks; malware how it is transported over the network. exploiting Adobe .pdf and MS office .doc vulnerabilities The threats • Application vulnerabilities (e.g., SQL injection, (what are you afraid of happening?) command injection) • Sophisticated cybercriminals stealing account • Misconfigured database access controls credentials, credit card records, or medical Current mitigation history to file false claims. (what is currently reducing the risk?) • Hackers using application attacks to gain access • Staff to database records. • Technology • Insiders gathering inappropriate data through • Processes misconfigured access control.
  • 37. Axolotl Health Information Exchange (HIE) Solution Provider CASE STUDY
  • 38. Axolotl Overview • Since 1995, Axolotl has been providing Founded: 1995 advanced Clinical Networking solutions Location: • Health Information Exchange has San Jose, California become a necessary foundation to Industry: support the “meaningful use” of health Healthcare Technology Provider information technology Solutions For: Hospitals & Health Systems • Cloud environment – supports electronic RHIOs sharing of data among hospitals, State Health Agencies physicians, clinical laboratories, Physicians pharmacies, health plans (insurers), and Employees: 200 public health department • Security and regulatory compliance are imperative for Axolotl’s customers
  • 39. Solution for Axolotl Areas Covered • Comprehensive information security assessment of governance and operational processes covering both production and internal systems • Thorough assessment of policies, practices, and procedures from both an internal and external point of view • Axolotl has been able to use information security and compliance as a distinct advantage in a fiercely competitive segment of the healthcare market.
  • 41. Some Additional Thoughts…
  • 42. Common Themes and Issues • Lack of Documentation • Managers unaware of • Lack of Awareness of their role and Programs responsibilities in privacy • Insufficient Training and and security Education • Management of Business • Lack of adequate Associate Relationships Disaster and Business • Lack of or outdated Continuity Planning Encryption Policy and • Privacy and Security less Procedures priority than Safety or • Who to Contact in case of Quality Programs perceived or actual • Mobile Device Policy and Security Breach or Procedures Privacy Incident
  • 43. EHR for the Future • Whatever happens to the health care agenda, EHRs will continue to evolve and regionalization will occur • Some geographical areas will develop mature EHRs faster than others • Patients/consumer engagement is gaining traction • Vendor market will consolidate and be more accountable
  • 45. Strategies for a Risk Assessment •Evaluation/ Review • Establish a formal, ongoing Evaluation Process •Risk Analysis and Review Process using independent •Steering consultant/third party. Conduct the review Committee •Governance using project management tools and •Metrics/ methods. Scoreboard •Risk/Threats •Integrated Assessment • Perform Risk Analysis, following •Risk Profile established policies and procedures, at a •Consultant Criteria minimum, every three years or whenever •Sr. Mgmt. there is a significant change in the Support •Penalties environment (e.g.,new system, new regs, •Document! new service, new threats, changes in senior management)
  • 46. Strategies for Risk Assessment •Evaluation/ Review • Establish an ongoing Steering Committee: Process •Risk Analysis o Dedicate a multi-disciplinary team •Steering responsible for guiding the Evaluation and Committee •Governance Risk Assessment Processes; utilize existing •Metrics/ team/committee if appropriate Scoreboard •Risk/Threats •Integrated • Establish governance structure/process for Assessment •Risk Profile Security and Privacy  reports to BOD, Audit & •Consultant Compliance Committee, Strategic Planning Criteria Committee, etc. •Sr. Mgmt. Support •Penalties • Security and Privacy Metrics/Scoreboard •Document!
  • 47. Strategies for Risk Assessment •Evaluation/ Review • Determine level of risk and threat to the Process organization, e.g., •Risk Analysis •Steering • Security Breach Committee • Identity Theft/Medical Identity Theft •Governance •Metrics/ • Privacy Complaints/OCR Complaints/Patient Scoreboard Suits •Risk/Threats • Organization’s “Risk Appetite” •Integrated Assessment • Organizational reputation •Risk Profile • Financial consequences •Consultant Criteria •Sr. Mgmt. • Integrate risk assessment for security and privacy Support into organization-wide risk assessment  risk •Penalties •Document! assessment for all types of risk • Develop and communicate Risk Profile
  • 48. Strategies for a risk assessment •Evaluation/ Review • Retain independent consultant that meets Process •Risk Analysis specific criteria: •Steering  Determine qualifications of individuals Committee performing review •Governance •Metrics/  Ask questions to ascertain if consultants Scoreboard possess “hands on” experience •Risk/Threats •Integrated  Do reports summarize data or provide noted Assessment gaps analysis? •Risk Profile  Does the consultant provide a “to do list” based •Consultant upon the audit results, mapping a path for the Criteria •Sr. Mgmt. organization to follow or is it buried in the Support summary? •Penalties  Do you understand the results and have •Document! support from the organization to resolve issues identified?
  • 49. Strategies for a Risk Assessment •Evaluation/ Review • Elicit support from senior management to Process provide adequate resources to address areas •Risk Analysis •Steering of identified risks Committee •Governance •Metrics/ • Note: Organizations that ignore findings are Scoreboard •Risk/Threats subject to increased penalties! •Integrated Assessment •Risk Profile • Documentation and retention of action plans •Consultant and follow-up is key to surviving and resolving Criteria audits and investigations. •Sr. Mgmt. Support •Penalties •Document!
  • 50. Successful information risk management program 1. Organizing for performance 2. Assessing risk 3. Decision analysis 4. Policy implementation 5. Measuring program effectiveness 6. Repeat steps 2-5, adjust the organization defined in step 1 to evolving business requirements
  • 51. Risk Management Process: Detail Step 1. Assess Risk Step 3. Policy Implementation Identify and prioritize risks to the Policy implementation. Acquisition and deployment of business. controls to carry out the policy. a. Plan data gathering. a. Ensure policy specifications are enforceable. b. Gather risk data. b. Integrate process automation, people, and technology in c. Prioritize risks. the mitigation solution. c. Defense in depth – coordinate application, system, data, Step 2. Decision Analysis and network controls. Evaluate requirements, understand d. Communicate policies and control responsibilities possible solutions, select controls, throughout the organization. estimate costs, and choose the most effective mitigation strategy. Step 4. Measure Effectiveness a. Define functional requirements to Develop and disseminate reports. Provide management a mitigate risks. dashboard of program effectiveness. b. Outline possible control solutions. a. Management dashboard that summarizes organization’s c. Estimate risk reduction. risk profile. d. Estimate solution cost. b. Report on changes under consideration and underway. e. Choose mitigation strategy. c. Communicate effectiveness of the control solutions in mitigating risk. d. Report on existing environment in terms of threats, vulnerabilities and risk profile.
  • 52. HIPAA Audit Scope Attributions