Meaningful Use Achieving Core Objective #14 Montana HIMMS 2012 Spring Convention
|
|
- Reynard Simpson
- 6 years ago
- Views:
Transcription
1 Meaningful Use Achieving Core Objective #14 Montana HIMMS 2012 Spring Convention Presented by John Whalen CISSP, CISA, CRISC
2 Contents Objectives Risk exercise Breaches Meaningful Use What is an assessment? Risk Next steps
3 Key objectives To remove mystery To illuminate info-sec aspects of Meaningful Use To help Montana hospitals avoid breaches
4 Exercise loss of PHI 1. Imagine that your hospital has been hacked. Please consider the ramifications. 2. What would this breach cost your hospital? Would it affect your hospital s reputation? Would it affect patient retention?
5 Healthcare breaches Frequency of data breaches increased 32% in 2011.
6 2012 breaches from Identity Theft Resource Center # of Breaches YTD: 160 # of Records Exposed YTD: 11.5 million 2012 Breaches Healthcare - 47 breaches YTD # of Records Exposed YTD: 1.4 million Healthcare Breaches
7 2012 Hospital breaches from Identity Theft Resource Center Oregon State Hospital Emory University Hospital North Shore-Long Island Jewish Health System Memorial Healthcare System Thomas Jefferson University Hospitals University of Arkansas Medical Sciences St. Joseph s Medical Center St. Elizabeth s Medical Center Sequoia Hospital Ohio State University Medical Center Howard University Hospital Robley Rex VA Medical Center Medical College of Georgia Kern Medical Center Hackensack University Medical Center
8 2011 Hospital breaches from Identity Theft Resource Center Swedish Medical Center Boulder Community Hospital Mount Sinai Hospital Texas Presbyterian Hospital Wake Forest Medical Center Loyola University Medical Center Provena Covenant Medical Center Methodist Charlton Medical Center Reid Hospital UMass Memorial Healthcare Fairview Southdale Hospital Jacobi Medical Center Trinity Medical Center Barnes Jewish Hospital Brigham and Women s Hospital Nyack Hospital Gunhill Medical Center North Central Bronx Hospital Tremont Health Center Texas Children s Hospital Saint Francis Broken Arrow Hospital Henry Ford Health System Charleston Area Medical Center VA Medical Centers in Akron, OH, Portland, OR and Lexington, KY Beth Israel Deaconess Medical Center Dekalb Medical Center Troy Regional Medical Center
9 Wall of shame at HHS Breaches Affecting 500 or More Individuals As required by section 13402(e)(4) of the HITECH Act, the Secretary must post a list of breaches of unsecured protected health information affecting 500 or more individuals. ative/breachnotificationrule/breachtool.html
10 Hospital breaches-types Computer hackers through public website Lost or stolen paper medical records Lost or stolen laptops with ephi Stolen workstations Stolen thumb dives Stolen hard drives Computer hackers through viruses PHI stolen by employee Lost back up tapes Shared workstation breached Improper disposal of paper medical records
11 Increase in data breaches Paper records to digital less stable environment Push to digitize Outsourcing of data processing to cloud providers Increase in mobile devices to conduct business
12 Negative impact of breach What best describes the negative impact of breaches you experienced. Check all that apply. Brand or reputation diminishment 78% Time and productivity loss 81% Loss of patient goodwill 75% Loss of revenues 41% Cost of outside consultants and lawyers 40% Fines and penalties paid to regulators 26% lawsuits 19% Poor employee morale 15% No impact 16%
13 Per-record cost of healthcare breach $240
14 Breach cost breakdown Legal fees Consumer notifications Credit monitoring services Decreased patient retention Decreased patient acquisition -from Ponemon Institute
15 Patient churn 4.2 % Estimated number of customers who will terminate their relationship as a result of the breach incident. $113,400 Estimated average lifetime value of one lost patient. from Ponemon Institute
16 Survey of 400 breach victims 55% trusted the organization less 29% will terminate future relationship
17 Healthcare security 55 % of health care organizations say they have little or no confidence they are able to detect all privacy incidents. 61 % of organizations are not confident they know where their patient data is physically located.
18 IT s perspective My organization s senior management does not view privacy and data security as a top priority. 70% My organization does not have ample resources to ensure privacy and data security requirements are met. 61% My organization does not have adequate policies and procedures to protect health information. 54%
19 $1.5 M HIPAA fine Blue Cross Blue Shield TN This settlement sends an important message that OCR expects health plans and health care providers to have in place a carefully designed, delivered, and monitored HIPAA compliance program. OCR Director Leon Rodriguez
20 Meaningful Use HIPAA Privacy & security of patient info HITECH Breach notification, penalties, legal remedies Meaningful Use Protect patient info, conduct security assessment Security assessment Document current state, discover vulnerabilities Baseline & roadmap Mitigate. Put controls in place.
21 Hitech: Changes to HIPAA As required by section 13402(e)(4) of the HITECH Act, the Secretary must post a list of breaches of unsecured protected health information affecting 500 or more individuals. Increased penalties based on three levels of culpability: 1) unknowing violation 2) violation due to reasonable cause 3) violation due to willful neglect
22 Hitech: Changes to HIPAA Civil penalties for the people involved ranging from $100 to $50,000 per violation, up to a maximum of $25,000 to $1,500,000 per year for the same violation. State Attorneys General authorized to bring civil actions under HIPAA on behalf of state residents. Business associates subject to HIPAA
23 HITECH and Meaningful Use = added enforcement "HIPAA wasn't being enforced anyway, so organizations felt they could do whatever they wanted and call themselves HIPAA compliant and secure, because nobody was ever going to knock on their doors." Paul Proctor, Gartner Inc.
24 Enforcement by complaint Periodic audits by Center for Medicare/ Medicaid HHS Office of Civil Rights began reporting its Security Rule enforcement results in October 2009: 436 complaints received 198 complaints closed 304 open complaints and compliance reviews
25 OCR enforcement Most investigated compliance issues: 1. Impermissible uses and disclosures of protected health information 2. Lack of safeguards of protected health information 3. Lack of patient access to their protected health information 4. Uses or disclosures of more than the minimum necessary protected health information 5. Lack of administrative safeguards of electronic protected health information
26 Remediation Entities with health information reported the following remedial action steps after the breaches: Revise policies and procedures Improve physician security by installing new security systems or relocation of equipment to safer places Train workers how to handle protected health information Provide free credit monitoring for customers Adopt encryption technology Improve sanctions against violators of policies and procedures Change passwords Perform a new risk assessment Revise business associate contracts to more explicitly require protection of confidential information
27 Enforcement by audit May 2011 HHS Office of Inspector General criticizes CMS oversight on HIPAA and HITECH as insufficient and recommends Office of Civil Rights implement random audits June 2011 OCR contracts with Booze Allen Hamilton to identify candidates June 2011 $9.2 million awarded to KPMG for 150 audits by end of 2012
28 HITECH & Incentive Payments HITECH (Health Information Technology for Economic and Clinical Health Act) Established programs under Medicare and Medicaid to provide incentive payments to EPs, hospitals, and critical access hospitals for the meaningful use of certified EHR technology. Electronic Health Record (EHR) Incentive Program The American Recovery and Reinvestment Act of 2009 (Recovery Act)
29 Medicaid Eligible Hospitals Eligible hospitals will qualify for incentive payments if they adopt, implement, upgrade or demonstrate meaningful use of certified EHR technology during the first participation year or successfully demonstrate meaningful use of certified EHR technology in subsequent participation years.
30 Reimbursement rates Providers failing to demonstrate meaningful use by 2014 will face Medicare penalties in the form of reductions in reimbursement rates starting in For year 2015, adjusted reimbursement rates will be 99%, % and %.
31 Core Objectives For eligible hospitals, there are a total of 24 meaningful use objectives. To qualify for an incentive payment, 19 of these 24 objectives must be met. There are 14 required core objectives. The remaining 5 objectives may be chosen from the list of 10 menu set objectives.
32 Core Set Objective # 14 Conduct or review a security risk analysis per 45 CFR ( (a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.
33 Administrative safeguards. (a) A covered entity must, in accordance with : (1) (i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations. (ii) Implementation specifications: (A) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.
34 Administrative safeguards (cont.) (B) Risk management (Required). Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with (a). (C) Sanction policy (Required). Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity. (D) Information system activity review (Required). Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.
35 For reference Security standards: General rules. (a) General requirements. Covered entities must do the following: (1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits. (2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information. (3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part. (4) Ensure compliance with this subpart by its workforce. (b) Flexibility of approach. (1) Covered entities may use any security measures that allow the covered entity to reasonably and appropriately implement the standards and implementation specifications as specified in this subpart. (2) In deciding which security measures to use, a covered entity must take into account the following factors: (i) The size, complexity, and capabilities of the covered entity. (ii) The covered entity's technical infrastructure, hardware, and software security capabilities. (iii) The costs of security measures. (iv) The probability and criticality of potential risks to electronic protected health information.
36 What is a security assessment? Baseline Roadmap
37 Think home inspection.
38 Ethical hackers Same tools as the hackers use An audit perspective
39 Assessment phases External vulnerability testing Internal testing Interviews Review of policies Wireless, passwords, physical security Remote offices visited
40 Deliverable Executive summary Tools and methodology Rating criteria Managerial and operational Technical Physical HIPAA-Readiness Technical reports
41 Risk matrix Vulnerability Risk rating Difficulty rating Description Action plan
42 What s your appetite for risk?
43 It s all about risk! Is $50,000 expensive? Is a long password too much to ask? Is a security policy too much trouble?
44 The Risk Executive Function
45 The Risk Executive Function Provides senior leadership input and oversight Integrates security organization-wide Risk-based protection strategies beyond single systems Visibility into mission/business processes and systems
46 Risk-Based Protection Strategies Identifying Understanding Mitigating Explicitly accepting residual risk
47 The CIA Triad Confidentiality prevents unauthorized disclosure of sensitive information Integrity prevents unauthorized modification of sensitive information Availability prevents disruption of service and productivity
48 Risk Analysis Risk analysis is a tool to: Identify the company s assets Calculate their values Identify vulnerabilities Estimate the threats and associated risks Assess the impact on the company if threat agents took advantage of current vulnerabilities
49 Risk assessment Gather stakeholders Analyze risk Hospital assets Potential threats Likelihood of threats acting against assets
50 Next steps Risk assessment: an internal effort to determine what is at risk. Gives context for security costs, disaster recovery and business continuity. Security assessment: use an independent team Discover vulnerabilities Prioritize vulnerabilities according to risk to your hospital / clinic Fix the holes in security Test again Ongoing: Submit your hospital to an infosec audit regime as you do with ongoing financial audits.
51 Hack: Hyundai Capital South Korea s largest consumer-finance company Hack occurred April 2011 According to CEO Biggest mistake: treating the IT department as simply one of many units that helped the company get its main job done Today he treats it as central to everything the company does Now the new IT security group reports directly to CEO From Wall Street Journal 6/21/11
52 CEO, Ted Chung What I learned from the hack: 1. Trust the authorities 2. Stay open and transparent 3. Learn IT and know where the vulnerabilities are 4. Create a philosophy that drives IT decisions 5. Reassess plans for products and services How things look and how they work is now secondary. Security is now first. From Wall Street Journal 6/21/11
53 Calculate your risk Multiply the number of records in the EMR by $240
54 Thank you! Have a great conference! John Whalen Security Practice Leader jwhalen@ceriumnetworks.com
MEANINGFUL USE & RISK ASSESSMENT
MEANINGFUL USE & RISK ASSESSMENT Montana HIMSS 2013 Spring Convention Presented by John Whalen CISSP, CISA, CRISC Contents 1. What are we protecting? 2. In what ways are protecting it? 3. What is Meaningful
More informationHealth Information Exchange 101. Your Introduction to HIE and It s Relevance to Senior Living
Health Information Exchange 101 Your Introduction to HIE and It s Relevance to Senior Living Objectives for Today Provide an introduction to Health Information Exchange Define a Health Information Exchange
More informationHCCA Institute Privacy Officer Round Table Discussion
HCCA Institute Privacy Officer Round Table Discussion Marti Arvin Deann Baker Why We re Here X A facilitated discussion of current issues that Privacy Professionals are dealing with in their day-to-day
More informationChapter 9 Legal Aspects of Health Information Management
Chapter 9 Legal Aspects of Health Information Management EXERCISE 9-1 Legal and Regulatory Terms 1. T 2. F 3. F 4. F 5. F EXERCISE 9-2 Maintaining the Patient Record in the Normal Course of Business 1.
More informationStatus Check On Health IT
Status Check On Health IT CTHIMA Annual Conference September 17, 2017 Slides Prepared by Jennifer L. Cox, J.D. Cox & Osowiecki, LLC Hartford, Connecticut 1 The Future Of Healthcare And Health IT Are Not
More informationPatient Privacy Requirements Beyond HIPAA
Patient Privacy Requirements Beyond HIPAA Jane Hyatt Thorpe, J.D. School of Public Health and Health Services George Washington University Carrie Bill, J.D. Feldesman Tucker Leifer Fidell LLP The George
More informationA general review of HIPAA standards and privacy practices 2016
A general review of HIPAA standards and privacy practices 2016 45 CFR, 164 Health Insurance Portability and Accountability Act Treatment, Payment and Healthcare Operations 42 CFR, Part 2, Confidentiality
More informationMITIGATING BREACH RISK IN AN ERA OF EXPANDING PHI DISCLOSURE POINTS AND REQUESTS FOR HEALTH INFORMATION
MITIGATING BREACH RISK IN AN ERA OF EXPANDING PHI DISCLOSURE POINTS AND REQUESTS FOR HEALTH INFORMATION Authors: Mariela Twiggs, MS, RHIA, CHP, FAHIMA National Director, Training and Compliance for MRO
More informationFCSRMC 2017 HIPAA PRESENTATION
FCSRMC 2017 HIPAA PRESENTATION BDO USA, LLP, a Delaware limited liability partnership, is the U.S. member of BDO International Limited, a UK company limited by guarantee, and forms part of the international
More informationAUDIT DEPARTMENT UNIVERSITY MEDICAL CENTER HIPAA COMPLIANCE. For the period October 2008 through May JEREMIAH P. CARROLL II, CPA Audit Director
UNIVERSITY MEDICAL CENTER HIPAA COMPLIANCE For the period October 2008 through May 2009 JEREMIAH P. CARROLL II, CPA Audit Director Audit Department 500 S Grand Central Pkwy Ste 5006 PO Box 551120 Las Vegas
More informationPreparing for the upcoming 2016 HIPAA audits: Lessons and examples from past breaches and fines
Preparing for the upcoming 2016 HIPAA audits: Lessons and examples from past breaches and fines 1 Your Presenters Robert Grant Co-Founder and Chief Strategy Officer of Compliancy Group Over 15 years of
More informationChapter 19 Section 3. Privacy And Security Of Protected Health Information (PHI)
Health Insurance Portability and Accountability Act (HIPAA) of 1996 Chapter 19 Section 3 1.0 BACKGROUND AND APPLICABILITY 1.1 The contractor shall comply with the provisions of the Health Insurance Portability
More informationInformation Privacy and Security
Information Privacy and Security 2015 Purpose of HIPAA HIPAA stands for the Health Insurance Portability and Accountability Act. Its purpose is to establish nationwide protection of patient confidentiality,
More informationEstablishing and Implementing a Process to Investigate and Resolve Privacy Breaches and Complaints
Establishing and Implementing a Process to Investigate and Resolve Privacy Breaches and Complaints Barbara Seitz, RHIA Privacy Officer/Director of HIM South Peninsula Hospital Homer, AK Becky Buegel, RHIA
More informationProtecting Health Information: Health Data Security Training
Protecting Health Information: Health Data Security Training How to secure patient information and manage your obligations under HIPAA, the HITECH Act and other federal and state data privacy and security
More informationUpdated FY15 Dignity Health General Compliance Education for Staff Module 2
Updated FY15 Dignity Health General Compliance Education for Staff Module 2 This course will provide you with important information about the laws and regulations that affect the healthcare industry, our
More informationDoes HIPAA Satisfy Meaningful Use? Two regulations with one stone
Does HIPAA Satisfy Meaningful Use? Two regulations with one stone Tod Ferran, CISSP, QSA Hi There! Tod Ferran 25 years working with IT and physical security 3 years PCI and HIPAA security consulting, performing
More informationA self-assessment for GxP and HIPAA concerns
WHITE PAPER IS YOUR ORGANIZATION AT RISK? A self-assessment for GxP and HIPAA concerns MDDX RESEARCH & INFORMATICS 58 California St, Floor 6 San Francisco, California 9 T (8) -MDDX F (866) 8-696 info@mddx.com
More informationLast Chance to Review Your Security Risk Analysis
Learning Forum Fridays Countdown to MIPS Data Submission Webinar Series Last Chance to Review Your Security Risk Analysis Emilie Sundie, MSCIS, PMP, CPHIMS Director, Health IT Services Kari Vanderslice,
More informationThe Privacy & Security of Protected Health Information
The Privacy & Security of Protected Health Information By the end of this course, you should: Be familiar with the patient s rights to privacy under HIPAA Privacy Act Be able to identify Protected Health
More informationAdvanced HIPAA Communications and University Relations
Advanced HIPAA Communications and University Relations accepts no liability of any use reliance placed on it, as it is warranty, express, or implied, or completeness of 1 the HIPAA Health Insurance Portability
More informationHIPAA Education Program
HIPAA Education Program 2017-2018 Assurance and Compliance Services HIPAA Training Requirement This HIPAA Training Program is intended for and will satisfy the training requirement for the: Mount Sinai
More information2018 Employee HIPAA Orientation (EHO) Handbook
2018 Employee HIPAA Orientation (EHO) Handbook Using EHO The material in this booklet is designed to provide newly hired employees with an understanding of HIPAA s regulations and their impact on the employee
More informationWhat is HIPAA? Purpose. Health Insurance Portability and Accountability Act of 1996
Patient Privacy and HIPAA/HITECH What is HIPAA? Health Insurance Portability and Accountability Act of 1996 Implemented in 2003 Title II Administrative Simplification It s a federal law HIPAA is mandatory,
More informationHIPAA and HITECH: Privacy and Security of Protected Health Information
HIPAA and HITECH: Privacy and Security of Protected Health Information What is HIPAA? Health Insurance Portability and Accountability Act of 1996 A federal law enacted to: Protect the privacy of a patient
More informationConsumer View of Personal Information Risks
Navigating the ephi Minefield Meaningful Consent Meets the Restriction Requirements of the HIPAA Omnibus Rule Timothy Kelly, MS, MBA Standard Register Healthcare Consumer View of Personal Information Risks
More informationWilliamson County EMS (WCEMS) HIPAA Training for Third Out Riders
Williamson County EMS (WCEMS) HIPAA Training for Third Out Riders Training Statement: This training program is designed to educate you on WCEMS legal requirements to protect our patients rights and confidentiality,
More informationHIPAA THE PRIVACY RULE
HIPAA THE PRIVACY RULE Reviewed December 2012 HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of antidepressant medications in their mail. 2 HISTORY Many
More informationHealthcare Privacy Officer on Evaluating Breach Incidents A look at tools and processes for monitoring compliance and preserving your reputation
Healthcare Privacy Officer on Evaluating Breach Incidents A look at tools and processes for monitoring compliance and preserving your reputation June 20, 2012 ID Experts Webinar www.idexpertscorp.com Mahmood
More informationNotice of Privacy Practices
River Valley Chiropractic LLC Notice of Privacy Practices Effective 9/2014; Revised 9/2014 If you have any questions about this notice, please contact the River Valley Chiropractic Privacy Officer at 308-534-5840.
More informationIf you have any questions about this notice, please contact the SSHS Privacy Officer at:
Notice of Privacy Practices 0 Effective Date: April 14, 2003 Revision Date: July 15, 2016 South Shore Health System ( SSHS ) is an integrated health care delivery system. For a list of entities which comprise
More informationDO ASK BUT DON T TELL HIPAA PRIVACY RULE
DO ASK BUT DON T TELL HIPAA PRIVACY RULE HITECH/OMNIBUS FINAL RULE HIPAA enacted in 1996; compliance required April 14, 2003 for the Privacy Rule and April 21, 2005 for the Security Rule surrounding electronic
More informationHITECH Act. Overview and Estimated Timeline
HITECH Act Overview and Estimated Timeline Key Program, Distribution, Use and Recipients for the HITECH Act* Focused Funds ($2 billion) PROGRAM DISTRIBUTION AGENCY USE OF FUNDS RECIPIENTS HIE Planning
More informationCLINICIAN S GUIDE TO HIPAA PRIVACY
CLINICIAN S GUIDE TO HIPAA PRIVACY Introduction... 2 What is HIPAA?... 2 Health Information Privacy... 2 Protected Health Information... 3 Identifiers... 3 HIPAA s Impact on Clinical Practice, Treatment,
More informationEast Carolina University 2010 Annual HIPAA Privacy Training
East Carolina University 2010 Annual HIPAA Privacy Training What are the HIPAA Privacy and Security Rules? Federal laws that govern the use and disclosure of health information of our patients and research
More informationOSHA & HIPAA Seminar. Northern Texas Facial & Oral Surgery
OSHA & HIPAA Seminar Sponsored By Northern Texas Facial & Oral Surgery April 11, 2014 Power Point Slides For The Course Power Point handout slides are provided for your use during the lecture. Bring these
More informationPrivacy and Security Training for Connecting Ontario. PACE Cardiology April, 2017
Privacy and Security Training for Connecting Ontario PACE Cardiology April, 2017 Session Goals By the end of this session you will: Review key elements of privacy protection Know your privacy obligations
More informationSecurity Risk Analysis and 365 Days of Meaningful Use. Rodney Gauna & Val Tuerk, Object Health
Security Risk Analysis and 365 Days of Meaningful Use Rodney Gauna & Val Tuerk, Object Health 2 3 Agenda Guidelines for Conducting a Security Risk Analysis Scope of Analysis Risk of a Breach Security Risks
More informationHIMSS Security Survey
NOVEMBER 3, HIMSS Security Survey sponsored by Intel Supported by Sponsored by HIMSS Security Survey Sponsored by Intel Final Report November 3, Now in its third year, the HIMSS Security Survey, sponsored
More informationMCCP Online Orientation
1 Objectives At the conclusion of this presentation, students will be able to: Discuss application of HIPAA to student s role. Describe the federal requirements of the HIPAA/HITECH regulations that protect
More informationYour Role in Protecting Patient Privacy 2018
Your Role in Protecting Patient Privacy 2018 1 Training Focus This training will focus on what responsibilities you have in order to ensure that both you and our organization are in compliance with state
More informationCHI Mercy Health. Definitions
CHI Mercy Health Definitions If you have any questions about this notice, please contact the CHI Mercy Health s Privacy Office at (701) 845-6540 or 570 Chautauqua Blvd, Valley City ND 58072. Notice of
More informationNational Health Information Privacy and Security Week. Understanding the HIPAA Privacy and Security Rule
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule HIPAA Privacy and Security HIPAA Privacy Rule Final implementation April 14, 2003 Today: Monitor
More informationTitle: HIPAA PRIVACY ADMINISTRATIVE
Administrative-HIPAA Privacy Title: HIPAA PRIVACY ADMINISTRATIVE Scope: All MultiCare Health System (MHS) workforce members, which includes but not limited to, employees, residents, students, volunteers
More informationOVERVIEW OF THE USES AND DISCLOSURES OF PHI
PRIVACY 24.0 OVERVIEW OF THE USES AND DISCLOSURES OF PHI Scope: Purpose: All workforce members (employees and non-employees), including employed medical staff, management, and others who have direct or
More informationHIPAA Breach Policy & Procedures Handbook
HIPAA Breach Policy & Procedures Handbook TABLE OF CONTENTS PART 1: POLICY... 5 I. Introduction... 6 Purpose... 6 Rationale... 6 Policy Statement... 6 Scope... 7 Definitions... 7 EXCEPTIONS... 7 II. Responsibility...
More informationOREGON HIPAA NOTICE FORM
MARCIA JOHNSTON WOOD, Ph.D. Clinical Psychologist 5441 SW Macadam, #104, Portland, OR 97239 Phone (503) 248-4511/ Fax (503) 248-6385 - Effective Sept.23, 2013 - (This copy for you to keep) OREGON HIPAA
More informationMedicare Compliance and HIPAA Updates With Mario Fucinari DC, CCSP, CPCO, MCS-P, MCS-I Sponsored by NCMIC
Medicare Compliance and HIPAA Updates With Mario Fucinari DC, CCSP, CPCO, MCS-P, MCS-I Sponsored by NCMIC The information contained in these notes is for educational purposes and is not intended to be
More informationNOTICE OF PRIVACY PRACTICES
VII-07B Notice of Privacy Practices (p) The MetroHealth System 2500 MetroHealth Drive Cleveland, OH 44109-1998 NOTICE OF PRIVACY PRACTICES THIS NOTICE DESCRIBES HOW WE MAY USE AND DISCLOSE YOUR PROTECTED
More informationCompliance Program Updated August 2017
Compliance Program Updated August 2017 Table of Contents Section I. Purpose of the Compliance Program... 3 Section II. Elements of an Effective Compliance Program... 4 A. Written Policies and Procedures...
More informationNOTICE OF PRIVACY PRACTICES
NOTICE OF PRIVACY PRACTICES 1 Effective Date: April 14, 2003 Revised: September 23, 2013 THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO
More informationPARAGOULD DOCTORS CLINIC PRIVACY NOTICE
PARAGOULD DOCTORS CLINIC PRIVACY NOTICE Protected Health Information THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE
More informationTHE ECONOMICS OF MEDICAL PRACTICE UNDER HIPAA/HITECH
THE ECONOMICS OF MEDICAL PRACTICE UNDER HIPAA/HITECH Gerald Jud E. DeLoss Serene K. Zeni (312) 985-5925 (248) 988-5894 gdeloss@ szeni@ AGENDA 1. Meaningful Use Incentives 2. HIPAA Enforcement and Compliance
More informationEMPOWERING THE NEW HEATHCARE ERA
EMPOWERING THE NEW HEATHCARE ERA THE NJ/DV HIMSS REGIONAL MEETING NOVEMBER 12 14, 2014 BALLY S HOTEL & CASINO ATLANTIC CITY, NJ. Ensuring Privacy and Security of Health information Exchange in Pennsylvania
More informationNotice of HIPAA Privacy Practices Updates
Notice of HIPAA Privacy Practices Updates The following is a summary of the updates to the privacy notice for Meridian Hospitals Corporation, Meridian Home Care Services, Inc., Meridian Nursing & Rehabilitation,
More informationAGENDA. 10:45 a.m. CT Attendees Sign On 11:00 a.m. CT Webinar 11:50 a.m. CT Questions and Answers
AGENDA 10:45 a.m. CT Attendees Sign On 11:00 a.m. CT Webinar 11:50 a.m. CT Questions and Answers Asking Questions Throughout the webinar, type your questions using the "send note" button at the top of
More informationSUMMARY OF NOTICE OF PRIVACY PRACTICES
LAKE REGIONAL MEDICAL GROUP 54 HOSPITAL DRIVE OSAGE BEACH, MO 65065 SUMMARY OF NOTICE OF PRIVACY PRACTICES THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU
More informationCIO Legislative Brief
CIO Legislative Brief Comparison of Health IT Provisions in the Committee Print of the 21 st Century Cures Act (dated November 25, 2016), H.R. 6 (21 st Century Cures Act) and S. 2511 (Improving Health
More informationDavid Behinfar, JD, LLM, CHC, CIPP University of Florida College of Medicine Jacksonville UF Privacy Manager (904)
David Behinfar, JD, LLM, CHC, CIPP University of Florida College of Medicine Jacksonville UF Privacy Manager (904) 244 6229 david.behinfar@jax.ufl.edu 1 Presentation Summary High level Summary of the federal
More informationSecurity Risk Analysis
Security Risk Analysis Risk analysis and risk management may be performed by reviewing and answering the following questions and keeping this review (with date and signature) for evidence of this analysis.
More informationWAKE FOREST BAPTIST HEALTH NOTICE OF PRIVACY PRACTICES
WAKE FOREST BAPTIST HEALTH NOTICE OF PRIVACY PRACTICES Effective April 14, 2003 Revised February 17, 2010 Revised September 23, 2013 Revised July 1, 2016 This Notice of Privacy Practices applies to the
More informationCMS & REGULATORY COMPLIANCE STANDARDS ARE YOU FULLY PREPARED?
CMS & REGULATORY COMPLIANCE STANDARDS ARE YOU FULLY PREPARED? OVERVIEW Stringent CMS and regulatory standards are here. Is your Food & Nutrition Services Department ready to take the heat? We know your
More informationHIPAA Training
2011-2012 HIPAA Training New Hire Orientation and General Training 1 This training is to ensure all Health Management workforce members (associates, contracted individuals, volunteers and students) understand
More informationNOTICE OF PRIVACY PRACTICES
NOTICE OF PRIVACY PRACTICES 1 Effective Date: April 14, 2003 Revision Date: September 23, 2013 Revision Date: January 17, 2018 THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED
More informationBreach Risk in Release of Information. Don t Leave Risk to Chance Key trends impacting healthcare providers
Breach Risk in Release of Information Don t Leave Risk to Chance Key trends impacting healthcare providers INTRODUCTION Privacy and security within a healthcare enterprise are topics often on the minds
More informationStudy Management PP STANDARD OPERATING PROCEDURE FOR Safeguarding Protected Health Information
PP-501.00 SOP For Safeguarding Protected Health Information Effective date of version: 01 April 2012 Study Management PP 501.00 STANDARD OPERATING PROCEDURE FOR Safeguarding Protected Health Information
More informationHealth Information Privacy Policies and Procedures
University of the Pacific Arthur A. Dugoni School of Dentistry Health Information Privacy Policies and s These Health Information Privacy Policies & s implement our obligations to protect the privacy of
More informationHIPAA Are You As Compliant as You Think?
HIPAA Are You As Compliant as You Think? Jillian Harrington, MHA, CPC, CPC-I, CPC-P, CCS, CCS-P Regulatory Specialist, HCPro, a division of BLR Agenda Elements of HIPAA Regulations HIPAA Case Study Reviews
More informationUSES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION: HIPAA PRIVACY POLICY
Page Number 1 of 8 TITLE: PURPOSE: USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION: HIPAA PRIVACY POLICY To assure that individually identifiable health information contained in any University Health
More informationHIPAA Policies and Procedures Manual
UNIVERSITY of NORTH CAROLINA at CHAPEL HILL SCHOOL of NURSING HIPAA Policies and Procedures Manual November 2015 1 Table of Contents I. INTRODUCTION... 3 A. GENERAL POLICY... 3 B. SCOPE... 3 II. DEFINITIONS...
More informationPOTENTIAL LIABILITY: PATIENT HEALTH INFORMATION PORTALS
POTENTIAL LIABILITY: PATIENT HEALTH INFORMATION PORTALS Jeanne M. Born, RN, JD 22 JANUARY 2015 Jborn@nexsenpruet.com Medical Record Information: Ownership and Patient Rights The physician owns the physician
More informationPrivacy and Security Orientation for Visiting Observers. DUHS Compliance Office
Privacy and Security Orientation for Visiting Observers DUHS Compliance Office 919-668-2573 compliance@dm.duke.edu Introduction This orientation is to provide new Visiting Observers with the HIPAA Privacy
More informationExecTech. The following examples help explain why the US Government created the HIPAA Privacy Rule.
ExecTech ExecTech Guideline Six Steps to HIPAA Rules Compliance HIPAA, the Health Insurance Portability and Accountability Act, became law in 1996. Its original intent was to help employees change jobs
More informationSpecial Presentation: HIPAA Survival. Dr. Ty Talcott, CHPSE C: / PH: /
Special Presentation: HIPAA Survival Dr. Ty Talcott, CHPSE C: 469.371.8804 / PH: 214.437.7559 Ty.talcott@gmail.com / Info.hipaa@gmail.com Foxworth Video A Little about me. Ski Lift Acrobatics How do they
More informationStatement of Guidance: Outsourcing Regulated Entities
Statement of Guidance: Outsourcing Regulated Entities 1. STATEMENT OF OBJECTIVES 1.1 This Statement of Guidance ( Guidance ) is intended to provide guidance to regulated entities on the establishment of
More informationHIPAA Privacy and Security Training for Researchers
HIPAA Privacy and Security Training for Researchers Version April 2017 Mountain States Health Alliance Bringing Loving Care to Health Care 1 Course Objectives This learning course covers HIPAA, HITECH,
More informationNOTICE OF PRIVACY PRACTICES
NOTICE OF PRIVACY PRACTICES Effective Date: April 14, 2003 Revised: September 23, 2013 THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS
More informationPrivacy & Security: What You Need to Know
Privacy & Security: What You Need to Know DISCLAIMER: The views and opinions expressed in this presentation are those of the author and do not necessarily represent official policy or position of HIMSS.
More informationCAPITAL SURGEONS GROUP, PLLC
CAPITAL SURGEONS GROUP, PLLC NOTICE OF PRIVACY PRACTICES THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW
More informationWRAPPING YOUR HEAD AROUND HIPAA PRIVACY REQUIREMENTS
WRAPPING YOUR HEAD AROUND HIPAA PRIVACY REQUIREMENTS Jeffrey Staton Attorney at Law Legal Aid Society of Louisville 416 W. Muhammad Ali Blvd., Ste. 300 Louisville, KY 40202 Phone: 502.614.3146 Jstaton@laslou.org
More informationValley Regional Medical Center HIPAA AND HITECH EDUCATION
Valley Regional Medical Center HIPAA AND HITECH EDUCATION Privacy and Security of Protected Health Information 1 HIPAA and Its Purpose What is HIPAA? Health Insurance Portability and Accountability Act
More information(PLEASE PRINT) Sex M F Age Birthdate Single Married Widowed Separated Divorced. Business Address Business Phone Cell Phone
(PLEASE PRINT) Emma Warner, MSW, LCSW, ACSW Tulsa, OK 74105 (918) 749-6935 Personal Information Name Address Last Name First Name Initial Home Phone Soc. Sec. # City State Zip Sex M F Age Birthdate Single
More informationTelemedicine Privacy and Security: Safeguarding Protected Health Information and Minimizing Risks of Disclosure
Presenting a live 90-minute webinar with interactive Q&A Telemedicine Privacy and Security: Safeguarding Protected Health Information and Minimizing Risks of Disclosure THURSDAY, AUGUST 13, 2015 1pm Eastern
More informationMURRAY MEDICAL CENTER HIPAA NOTICE OF PRIVACY PRACTICES
CW CR 618 Exhibit A MURRAY MEDICAL CENTER HIPAA NOTICE OF PRIVACY PRACTICES Effective Date: THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS
More informationFOUR TIPS: THE INVISIBLE IMPACT OF CREDENTIALING
FOUR TIPS: THE INVISIBLE IMPACT OF CREDENTIALING The Invisible Impact of Credentialing Four Tips: The past 8 to 10 years have been transformative in the business of providing healthcare. The 2009 American
More informationComparison of Health IT Provisions in H.R. 6 (21 st Century Cures Act) and S (Improving Health Information Technology Act)
Comparison of Health IT Provisions in H.R. 6 (21 st Century Cures Act) and S. 2511 (Improving Health Information Technology Act) Policy Proposal Health Software Regulation Senate Innovations Initiative
More informationAHLA. H. Preparing for a Meaningful Use Audit. Jill M. Girardeau Womble Carlyle Sandridge & Rice LLP Atlanta, GA
AHLA H. Preparing for a Meaningful Use Audit Jill M. Girardeau Womble Carlyle Sandridge & Rice LLP Atlanta, GA Dina Marty Associate Counsel Wake Forest University Wake Forest Baptist Medical Center Winston-Salem,
More informationREVISED NOTICE OF PRIVACY PRACTICES ORIGINAL DATE: JANUARY 1, 2003 REVISED: JANUARY 16, 2014 REVISED: NOVEMBER 27, 2017 PLEASE REVIEW IT CAREFULLY
REVISED NOTICE OF PRIVACY PRACTICES ORIGINAL DATE: JANUARY 1, 2003 REVISED: JANUARY 16, 2014 REVISED: NOVEMBER 27, 2017 THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED
More information2514 Stenson Dr Cedar Park TX Fax
HIPAA QUESTIONS LESSON 2 1. Civil monetary penalties can be as high as: a. $100 b. $1,000 c. $10,000 d. $50,000 2. Civil penalties for HIPAA violations apply to: a. Covered entities b. Business associates
More information2018 HCCA Compliance Institute HIPAA Update: Policy & Enforcement. Policy Update: Marissa Gordon-Nguyen HHS OCR Senior Advisor
2018 HCCA Compliance Institute HIPAA Update: Policy & Enforcement Policy Update: Marissa Gordon-Nguyen HHS OCR Senior Advisor 2 1 OCR Responds to Nation s Opioid Crisis Opioid abuse crisis and national
More informationOur Services Include. Our Credentials
is a healthcare consulting and education firm providing services such as: IRO services, practice management and assessment services, A/R management and oversight, new practice set up that includes lease
More informationIt defines basic terms and lists basic principles that all LSUHSC-NO faculty, staff, residents and students must understand and follow.
Office of Compliance Programs Revised: July 18, 2017 HIPAA Privacy HIPAA Privacy Workforce Training The Health Insurance Portability & Accountability Act (HIPAA) requires that the University train all
More informationHeadline News: Anatomy of a VIP Records Breach
Watch the Replay Headline News: Anatomy of a VIP Records Breach Executive Series Webinar September 24, 2014 Today s Panel Kim Roberts, MS, RHIA, CHP Privacy Specialist Sparrow Health System kim.roberts@sparrow.org
More informationERIE COUNTY MEDICAL CENTER CORPORATION NOTICE OF PRIVACY PRACTICES. Effective Date : April 14, 2003 Revised: August 22, 2016
ERIE COUNTY MEDICAL CENTER CORPORATION NOTICE OF PRIVACY PRACTICES Effective Date : April 14, 2003 Revised: August 22, 2016 THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED
More informationSeptember 3, Dear Provider:
September 3, 2014 Dear Provider: As a contractor with Centers for Medicare & Medicaid Services (CMS), Arkansas Blue Cross and Blue Shield are required by the regulations to develop and maintain a compliance
More informationNotice of Privacy Practices for Protected Health Information (PHI)
Notice of Privacy Practices for Protected Health Information (PHI) Dermatology Associates of Colorado, PC THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN
More informationASX CLEAR OPERATING RULES Guidance Note 9
OFFSHORING AND OUTSOURCING The purpose of this Guidance Note The main points it covers To provide guidance to participants on some of the issues they need to address when offshoring or outsourcing their
More informationHIPAA Privacy Training for Non-Clinical Workforce
Office of Compliance Programs HIPAA Privacy Training for Non-Clinical Workforce Revised: January 24, 2017 HIPAA Privacy Workforce Training The Health Insurance Portability & Accountability Act (HIPAA)
More informationUnderstanding the Privacy and Security Regulations
Omnibus Rule Update HIPAA Handbook for Long-Term Care Staff Understanding the Privacy and Security Regulations Kate Borten, CISSP, CISM Handbook for Long-Term Care Staff Understanding the Privacy and Security
More informationHIPAA Privacy Rights and Operations Guide HIPAA Security Summary For the Practice of: Vail Aspen Breckenridge Dermatology
HIPAA Privacy Rights and Operations Guide HIPAA Security Summary For the Practice of: Vail Aspen Breckenridge Dermatology Publish Date: 1/2/2018 This guide has been created to serve Vail Aspen Breckenridge
More information