MEANINGFUL USE & RISK ASSESSMENT
|
|
- Randolf Hawkins
- 6 years ago
- Views:
Transcription
1 MEANINGFUL USE & RISK ASSESSMENT Montana HIMSS 2013 Spring Convention Presented by John Whalen CISSP, CISA, CRISC
2 Contents 1. What are we protecting? 2. In what ways are protecting it? 3. What is Meaningful Use asking for? 4. In what ways is Meaningful Use asking? 5. Practically speaking
3 Key objectives Understanding CIA Defining Risk Assessment Building Governance
4 ephi the crown jewels Financial Medical Identity Theft: Someone is getting medical help using your name and/or other information. Criminal Medical Identity Theft: You are being held responsible for the actions of another s criminal behavior. Government Benefit Fraud: Your medical benefits are being used by another person.
5 It s all about the money A major challenge for IT security is the increase in criminal attacks, which has seen an increase from 20 percent in 2010 to 33 percent this year.
6 2013 breaches from Identity Theft Resource Center # of Breaches YTD: 204 # of Records Exposed YTD: 44 million 2013 Breaches # of Breaches Healthcare YTD- 94 # of Records Exposed YTD: 1.5 million Healthcare Breaches
7 2012 Breaches top 3 causes Lost or stolen computing device Employee mistakes or unintentional actions Third-party snafus Fifty-two percent discovered the data breach as a result of an audit or assessment followed by employees detecting the breach
8 Hacked! 1. Please consider the ramifications. 2. What would this breach cost your hospital/clinic?
9 2012 Breaches Utah Department of Health confirmed that a server containing personal health information (PHI) of some 780,000 patients had been actively hacked into starting in March. Addresses, dates of birth, Social Security numbers, diagnoses codes, national provider identification numbers, billing codes and taxpayer identification numbers were all included on the server. The Utah breach stands as the 9th largest data breach ever reported to the HHS.
10 2012 Breaches The South Carolina Department of Health and Human Services reported a data breach that started in January when an employee compiled data on more than 228,000 people and transmitted it to a private account.
11 2013 Hospital breaches from Identity Theft Resource Center South Shore Medical Center Wayne Memorial Hospital St. Mark's Medical Center Tallahassee Memorial HealthCare Upstate University Hospital John J. Pershing VA Medical Center South Miami Hospital Mount Sinai Medical Center Brookdale University Hospital and Medical Center Adventist Health System Glen Falls Hospital Saint Francis Hospital University of Mississippi Medical Center Baptist Health - South Miami Hospital Samaritan Hospital Froedtert Hospital Boca Raton Regional Hospital
12 2012 Hospital breaches from Identity Theft Resource Center Oregon State Hospital Emory University Hospital North Shore-Long Island Jewish Health System Memorial Healthcare System Thomas Jefferson University Hospitals University of Arkansas Medical Sciences St. Joseph s Medical Center St. Elizabeth s Medical Center Sequoia Hospital Ohio State University Medical Center Howard University Hospital Robley Rex VA Medical Center Medical College of Georgia Kern Medical Center Hackensack University Medical Center
13 2011 Hospital breaches from Identity Theft Resource Center Swedish Medical Center Boulder Community Hospital Mount Sinai Hospital Texas Presbyterian Hospital Wake Forest Medical Center Loyola University Medical Center Provena Covenant Medical Center Methodist Charlton Medical Center Reid Hospital UMass Memorial Healthcare Fairview Southdale Hospital Jacobi Medical Center Trinity Medical Center Barnes Jewish Hospital Brigham and Women s Hospital Nyack Hospital Gunhill Medical Center North Central Bronx Hospital Tremont Health Center Texas Children s Hospital Saint Francis Broken Arrow Hospital Henry Ford Health System Charleston Area Medical Center VA Medical Centers in Akron, OH, Portland, OR and Lexington, KY Beth Israel Deaconess Medical Center Dekalb Medical Center Troy Regional Medical Center
14 Hospital breaches-types Computer hackers through public website Lost or stolen paper medical records Lost or stolen laptops with ephi Stolen workstations Stolen thumb dives Stolen hard drives Computer hackers through viruses PHI stolen by employee Lost back up tapes Shared workstation breached Improper disposal of paper medical records
15 Increase in data breaches Paper records to digital less stable environment Push to digitize Outsourcing of data processing to cloud providers Increase in mobile devices to conduct business
16 Negative impact of breach What best describes the negative impact of breaches you experienced. Check all that apply. Brand or reputation diminishment 78% Time and productivity loss 81% Loss of patient goodwill 75% Loss of revenues 41% Cost of outside consultants and lawyers 40% Fines and penalties paid to regulators 26% lawsuits 19% Poor employee morale 15% No impact 16%
17 Per-record cost of healthcare breach $240
18 Breach cost breakdown Legal fees Consumer notifications Credit monitoring services Decreased patient retention Decreased patient acquisition
19 Patient churn 4.2 % Estimated number of customers who will terminate their relationship as a result of the breach incident. $113,400 Estimated average lifetime value of one lost patient.
20 The CIA Triad Confidentiality prevents unauthorized disclosure of sensitive information Integrity prevents unauthorized modification of sensitive information Availability prevents disruption of service and productivity
21 CIA Triad Confidentiality Integrity Availability
22 Meaningful Use HIPAA Privacy & security of patient info HITECH Breach notification, penalties, legal remedies Meaningful Use Protect patient info, conduct security assessment Risk assessment Determine potential risks, document current state, discover vulnerabilities Baseline & roadmap Mitigate. Put controls in place.
23 Administrative Safeguards Administrative safeguards are administrative actions, and policies and procedures, to: manage the selection, development, implementation, and maintenance of security measures to protect ephi to manage the conduct of the covered entity s or business associate s workforce in relation to the protection of that information.
24 Core Set Objective # 14 Conduct or review a security risk analysis per 45 CFR ( (a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.
25 Administrative safeguards. (a) A covered entity must, in accordance with : (1) (i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations. (ii) Implementation specifications: (A) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.
26 Administrative safeguards (cont.) (B) Risk management (Required). Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with (a). (C) Sanction policy (Required). Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity. (D) Information system activity review (Required). Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.
27 For reference Security standards: General rules. (a) General requirements. Covered entities must do the following: (1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits. (2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information. (3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part. (4) Ensure compliance with this subpart by its workforce. (b) Flexibility of approach. (1) Covered entities may use any security measures that allow the covered entity to reasonably and appropriately implement the standards and implementation specifications as specified in this subpart. (2) In deciding which security measures to use, a covered entity must take into account the following factors: (i) The size, complexity, and capabilities of the covered entity. (ii) The covered entity's technical infrastructure, hardware, and software security capabilities. (iii) The costs of security measures. (iv) The probability and criticality of potential risks to electronic protected health information.
28 Beyond technical Top 4 1. Risk assessment 2. Business continuity and disaster recovery 3. Policies 4. Security awareness training
29 It s all about risk! Is $100,000 expensive? Is a long password too much to ask? Is a security policy too much trouble?
30 What s your appetite for risk?
31 The Risk Executive Function
32 The Risk Executive Function Provides senior leadership input and oversight Integrates security organization-wide Risk-based protection strategies beyond single systems Visibility into mission/business processes and systems
33 Risk-Based Protection Strategies Identifying Understanding Mitigating Explicitly accepting residual risk
34 Risk Analysis Risk analysis is a tool to: Identify the company s assets Calculate their values Identify vulnerabilities Estimate the threats and associated risks Assess the impact on the company if threat agents took advantage of current vulnerabilities
35 Risk assessment Gather stakeholders Analyze risk Hospital assets Potential threats Likelihood of threats acting against assets
36 What is a security assessment? Baseline Roadmap
37 Think home inspection.
38 Ethical hackers Same tools as the hackers use An audit perspective
39 Assessment phases External vulnerability testing Internal testing Interviews Review of policies Wireless, passwords, physical security Remote offices visited
40 Deliverable Executive summary Tools and methodology Rating criteria Managerial and operational Technical Physical HIPAA-Readiness Technical reports
41 Risk matrix Vulnerability Risk rating Difficulty rating Description Action plan
42 Next steps Risk assessment: an internal effort to determine what is at risk. Gives context for security costs, disaster recovery and business continuity. Security assessment: use an independent team Discover vulnerabilities Prioritize vulnerabilities according to risk to your hospital / clinic Fix the holes in security Test again Ongoing: Submit your hospital to an infosec audit regime as you do with ongoing financial audits.
43 BCP NIST Sustaining an organization s mission/business processes during and after a disruption.
44 BCP NIST Develop the contingency planning policy statement. 2. Conduct the business impact analysis (BIA). 3. Identify preventive controls. 4. Create contingency strategies. 5. Develop an information system contingency plan. 6. Ensure plan testing, training, and exercises. 7. Ensure plan maintenance.
45 Key Policies Internet use Remote access Removable media Encryption Data classification Vendor management, Business associate agreements Termination
46 Security Awareness Training NIST A needs assessment has been conducted A strategy has been developed An awareness and training program plan for implementing that strategy has been completed Awareness and training material has been developed.
47 Success Indicators Sufficient funding to implement the agreed-upon strategy. Appropriate organizational placement to enable those with key responsibilities to effectively implement the strategy. Support for broad distribution and posting of security awareness items. Executive/senior level messages to staff regarding security Use of metrics
48 Success Indicators Managers do not use their status in the organization to avoid security controls that are consistently adhered to by the rank and file. Level of attendance at mandatory security forums/briefings. Recognition of security contributions Motivation demonstrated by those playing key roles in managing/coordinating the security program.
49 Hack: Hyundai Capital South Korea s largest consumer-finance company Hack occurred April 2011 According to CEO Biggest mistake: treating the IT department as simply one of many units that helped the company get its main job done Today he treats security as central to everything the company does Now the new IT security group reports directly to CEO From Wall Street Journal 6/21/11
50 CEO, Ted Chung What I learned from the hack: 1. Trust the authorities 2. Stay open and transparent 3. Learn IT and know where the vulnerabilities are 4. Create a philosophy that drives IT decisions 5. Reassess plans for products and services How things look and how they work is now secondary. Security is now first. From Wall Street Journal 6/21/11
51 Calculate your risk Multiply the number of records in the EMR by $240
52 Thank you! Have a great conference!
Meaningful Use Achieving Core Objective #14 Montana HIMMS 2012 Spring Convention
Meaningful Use Achieving Core Objective #14 Montana HIMMS 2012 Spring Convention Presented by John Whalen CISSP, CISA, CRISC Contents Objectives Risk exercise Breaches Meaningful Use What is an assessment?
More informationChapter 9 Legal Aspects of Health Information Management
Chapter 9 Legal Aspects of Health Information Management EXERCISE 9-1 Legal and Regulatory Terms 1. T 2. F 3. F 4. F 5. F EXERCISE 9-2 Maintaining the Patient Record in the Normal Course of Business 1.
More informationHealth Information Exchange 101. Your Introduction to HIE and It s Relevance to Senior Living
Health Information Exchange 101 Your Introduction to HIE and It s Relevance to Senior Living Objectives for Today Provide an introduction to Health Information Exchange Define a Health Information Exchange
More informationInformation Privacy and Security
Information Privacy and Security 2015 Purpose of HIPAA HIPAA stands for the Health Insurance Portability and Accountability Act. Its purpose is to establish nationwide protection of patient confidentiality,
More informationPreparing for the upcoming 2016 HIPAA audits: Lessons and examples from past breaches and fines
Preparing for the upcoming 2016 HIPAA audits: Lessons and examples from past breaches and fines 1 Your Presenters Robert Grant Co-Founder and Chief Strategy Officer of Compliancy Group Over 15 years of
More informationChapter 19 Section 3. Privacy And Security Of Protected Health Information (PHI)
Health Insurance Portability and Accountability Act (HIPAA) of 1996 Chapter 19 Section 3 1.0 BACKGROUND AND APPLICABILITY 1.1 The contractor shall comply with the provisions of the Health Insurance Portability
More informationA self-assessment for GxP and HIPAA concerns
WHITE PAPER IS YOUR ORGANIZATION AT RISK? A self-assessment for GxP and HIPAA concerns MDDX RESEARCH & INFORMATICS 58 California St, Floor 6 San Francisco, California 9 T (8) -MDDX F (866) 8-696 info@mddx.com
More informationFCSRMC 2017 HIPAA PRESENTATION
FCSRMC 2017 HIPAA PRESENTATION BDO USA, LLP, a Delaware limited liability partnership, is the U.S. member of BDO International Limited, a UK company limited by guarantee, and forms part of the international
More informationUpdated FY15 Dignity Health General Compliance Education for Staff Module 2
Updated FY15 Dignity Health General Compliance Education for Staff Module 2 This course will provide you with important information about the laws and regulations that affect the healthcare industry, our
More informationAdvanced HIPAA Communications and University Relations
Advanced HIPAA Communications and University Relations accepts no liability of any use reliance placed on it, as it is warranty, express, or implied, or completeness of 1 the HIPAA Health Insurance Portability
More informationWhat is HIPAA? Purpose. Health Insurance Portability and Accountability Act of 1996
Patient Privacy and HIPAA/HITECH What is HIPAA? Health Insurance Portability and Accountability Act of 1996 Implemented in 2003 Title II Administrative Simplification It s a federal law HIPAA is mandatory,
More informationEMPOWERING THE NEW HEATHCARE ERA
EMPOWERING THE NEW HEATHCARE ERA THE NJ/DV HIMSS REGIONAL MEETING NOVEMBER 12 14, 2014 BALLY S HOTEL & CASINO ATLANTIC CITY, NJ. Ensuring Privacy and Security of Health information Exchange in Pennsylvania
More informationMITIGATING BREACH RISK IN AN ERA OF EXPANDING PHI DISCLOSURE POINTS AND REQUESTS FOR HEALTH INFORMATION
MITIGATING BREACH RISK IN AN ERA OF EXPANDING PHI DISCLOSURE POINTS AND REQUESTS FOR HEALTH INFORMATION Authors: Mariela Twiggs, MS, RHIA, CHP, FAHIMA National Director, Training and Compliance for MRO
More informationCLINICIAN S GUIDE TO HIPAA PRIVACY
CLINICIAN S GUIDE TO HIPAA PRIVACY Introduction... 2 What is HIPAA?... 2 Health Information Privacy... 2 Protected Health Information... 3 Identifiers... 3 HIPAA s Impact on Clinical Practice, Treatment,
More informationHIPAA Privacy Training for Non-Clinical Workforce
Office of Compliance Programs HIPAA Privacy Training for Non-Clinical Workforce Revised: January 24, 2017 HIPAA Privacy Workforce Training The Health Insurance Portability & Accountability Act (HIPAA)
More informationAUDIT DEPARTMENT UNIVERSITY MEDICAL CENTER HIPAA COMPLIANCE. For the period October 2008 through May JEREMIAH P. CARROLL II, CPA Audit Director
UNIVERSITY MEDICAL CENTER HIPAA COMPLIANCE For the period October 2008 through May 2009 JEREMIAH P. CARROLL II, CPA Audit Director Audit Department 500 S Grand Central Pkwy Ste 5006 PO Box 551120 Las Vegas
More informationHIPAA Training
2011-2012 HIPAA Training New Hire Orientation and General Training 1 This training is to ensure all Health Management workforce members (associates, contracted individuals, volunteers and students) understand
More informationNational Health Information Privacy and Security Week. Understanding the HIPAA Privacy and Security Rule
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule HIPAA Privacy and Security HIPAA Privacy Rule Final implementation April 14, 2003 Today: Monitor
More informationOSHA & HIPAA Seminar. Northern Texas Facial & Oral Surgery
OSHA & HIPAA Seminar Sponsored By Northern Texas Facial & Oral Surgery April 11, 2014 Power Point Slides For The Course Power Point handout slides are provided for your use during the lecture. Bring these
More informationStudy Management PP STANDARD OPERATING PROCEDURE FOR Safeguarding Protected Health Information
PP-501.00 SOP For Safeguarding Protected Health Information Effective date of version: 01 April 2012 Study Management PP 501.00 STANDARD OPERATING PROCEDURE FOR Safeguarding Protected Health Information
More informationSecurity Risk Analysis and 365 Days of Meaningful Use. Rodney Gauna & Val Tuerk, Object Health
Security Risk Analysis and 365 Days of Meaningful Use Rodney Gauna & Val Tuerk, Object Health 2 3 Agenda Guidelines for Conducting a Security Risk Analysis Scope of Analysis Risk of a Breach Security Risks
More informationReport of the Information & Privacy Commissioner/Ontario. Review of the Cardiac Care Network of Ontario (CCN):
Information and Privacy Commissioner / Ontario Report of the Information & Privacy Commissioner/Ontario Review of the Cardiac Care Network of Ontario (CCN): A Prescribed Person under the Personal Health
More informationWilliamson County EMS (WCEMS) HIPAA Training for Third Out Riders
Williamson County EMS (WCEMS) HIPAA Training for Third Out Riders Training Statement: This training program is designed to educate you on WCEMS legal requirements to protect our patients rights and confidentiality,
More informationTitle: HIPAA PRIVACY ADMINISTRATIVE
Administrative-HIPAA Privacy Title: HIPAA PRIVACY ADMINISTRATIVE Scope: All MultiCare Health System (MHS) workforce members, which includes but not limited to, employees, residents, students, volunteers
More informationHCCA Institute Privacy Officer Round Table Discussion
HCCA Institute Privacy Officer Round Table Discussion Marti Arvin Deann Baker Why We re Here X A facilitated discussion of current issues that Privacy Professionals are dealing with in their day-to-day
More informationEast Carolina University 2010 Annual HIPAA Privacy Training
East Carolina University 2010 Annual HIPAA Privacy Training What are the HIPAA Privacy and Security Rules? Federal laws that govern the use and disclosure of health information of our patients and research
More informationHealthcare Privacy Officer on Evaluating Breach Incidents A look at tools and processes for monitoring compliance and preserving your reputation
Healthcare Privacy Officer on Evaluating Breach Incidents A look at tools and processes for monitoring compliance and preserving your reputation June 20, 2012 ID Experts Webinar www.idexpertscorp.com Mahmood
More informationMCCP Online Orientation
1 Objectives At the conclusion of this presentation, students will be able to: Discuss application of HIPAA to student s role. Describe the federal requirements of the HIPAA/HITECH regulations that protect
More informationStatus Check On Health IT
Status Check On Health IT CTHIMA Annual Conference September 17, 2017 Slides Prepared by Jennifer L. Cox, J.D. Cox & Osowiecki, LLC Hartford, Connecticut 1 The Future Of Healthcare And Health IT Are Not
More informationEstablishing and Implementing a Process to Investigate and Resolve Privacy Breaches and Complaints
Establishing and Implementing a Process to Investigate and Resolve Privacy Breaches and Complaints Barbara Seitz, RHIA Privacy Officer/Director of HIM South Peninsula Hospital Homer, AK Becky Buegel, RHIA
More informationPrivacy and Security Training for Connecting Ontario. PACE Cardiology April, 2017
Privacy and Security Training for Connecting Ontario PACE Cardiology April, 2017 Session Goals By the end of this session you will: Review key elements of privacy protection Know your privacy obligations
More information2018 Employee HIPAA Orientation (EHO) Handbook
2018 Employee HIPAA Orientation (EHO) Handbook Using EHO The material in this booklet is designed to provide newly hired employees with an understanding of HIPAA s regulations and their impact on the employee
More informationHIPAA and HITECH: Privacy and Security of Protected Health Information
HIPAA and HITECH: Privacy and Security of Protected Health Information What is HIPAA? Health Insurance Portability and Accountability Act of 1996 A federal law enacted to: Protect the privacy of a patient
More informationStatement of Guidance: Outsourcing Regulated Entities
Statement of Guidance: Outsourcing Regulated Entities 1. STATEMENT OF OBJECTIVES 1.1 This Statement of Guidance ( Guidance ) is intended to provide guidance to regulated entities on the establishment of
More informationHIPAA Education Program
HIPAA Education Program 2017-2018 Assurance and Compliance Services HIPAA Training Requirement This HIPAA Training Program is intended for and will satisfy the training requirement for the: Mount Sinai
More informationBreach Risk in Release of Information. Don t Leave Risk to Chance Key trends impacting healthcare providers
Breach Risk in Release of Information Don t Leave Risk to Chance Key trends impacting healthcare providers INTRODUCTION Privacy and security within a healthcare enterprise are topics often on the minds
More informationThe Privacy & Security of Protected Health Information
The Privacy & Security of Protected Health Information By the end of this course, you should: Be familiar with the patient s rights to privacy under HIPAA Privacy Act Be able to identify Protected Health
More informationHIMSS Security Survey
NOVEMBER 3, HIMSS Security Survey sponsored by Intel Supported by Sponsored by HIMSS Security Survey Sponsored by Intel Final Report November 3, Now in its third year, the HIMSS Security Survey, sponsored
More informationCompliance Program, Code of Conduct, and HIPAA
Compliance Program, Code of Conduct, and HIPAA Agenda Introduction to Compliance The Compliance Program Code of Conduct Reporting Concerns HIPAA Why have a Compliance Program Procedures to follow applicable
More informationYour Role in Protecting Patient Privacy 2018
Your Role in Protecting Patient Privacy 2018 1 Training Focus This training will focus on what responsibilities you have in order to ensure that both you and our organization are in compliance with state
More informationHIPAA THE PRIVACY RULE
HIPAA THE PRIVACY RULE Reviewed December 2012 HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of antidepressant medications in their mail. 2 HISTORY Many
More informationProtecting Health Information: Health Data Security Training
Protecting Health Information: Health Data Security Training How to secure patient information and manage your obligations under HIPAA, the HITECH Act and other federal and state data privacy and security
More informationAGENDA. 10:45 a.m. CT Attendees Sign On 11:00 a.m. CT Webinar 11:50 a.m. CT Questions and Answers
AGENDA 10:45 a.m. CT Attendees Sign On 11:00 a.m. CT Webinar 11:50 a.m. CT Questions and Answers Asking Questions Throughout the webinar, type your questions using the "send note" button at the top of
More informationLast Chance to Review Your Security Risk Analysis
Learning Forum Fridays Countdown to MIPS Data Submission Webinar Series Last Chance to Review Your Security Risk Analysis Emilie Sundie, MSCIS, PMP, CPHIMS Director, Health IT Services Kari Vanderslice,
More informationPatient Privacy Requirements Beyond HIPAA
Patient Privacy Requirements Beyond HIPAA Jane Hyatt Thorpe, J.D. School of Public Health and Health Services George Washington University Carrie Bill, J.D. Feldesman Tucker Leifer Fidell LLP The George
More informationCompliance Program Updated August 2017
Compliance Program Updated August 2017 Table of Contents Section I. Purpose of the Compliance Program... 3 Section II. Elements of an Effective Compliance Program... 4 A. Written Policies and Procedures...
More informationIt defines basic terms and lists basic principles that all LSUHSC-NO faculty, staff, residents and students must understand and follow.
Office of Compliance Programs Revised: July 18, 2017 HIPAA Privacy HIPAA Privacy Workforce Training The Health Insurance Portability & Accountability Act (HIPAA) requires that the University train all
More information2514 Stenson Dr Cedar Park TX Fax
HIPAA QUESTIONS LESSON 2 1. Civil monetary penalties can be as high as: a. $100 b. $1,000 c. $10,000 d. $50,000 2. Civil penalties for HIPAA violations apply to: a. Covered entities b. Business associates
More informationA Deep Dive into the Privacy Landscape
A Deep Dive into the Privacy Landscape David Goodis Assistant Commissioner Information and Privacy Commissioner of Ontario Canadian Institute Advertising & Marketing Law January 22, 2018 Who is the Information
More informationSample Privacy Impact Assessment Report Project: Outsourcing clinical audit to an external company in St. Anywhere s hospital
Sample Privacy Impact Assessment Report Project: Outsourcing clinical audit to an external company in St. Anywhere s hospital October 2010 2 Please Note: The purpose of this document is to demonstrate
More informationPrivacy and Security Orientation for Visiting Observers. DUHS Compliance Office
Privacy and Security Orientation for Visiting Observers DUHS Compliance Office 919-668-2573 compliance@dm.duke.edu Introduction This orientation is to provide new Visiting Observers with the HIPAA Privacy
More informationOffice of the Chief Privacy Officer. Privacy & Security in an App Enabled World HIMSS, Tuesday March 1, 2016, Las Vegas, NV
Office of the Chief Privacy Officer Privacy & Security in an App Enabled World HIMSS, Tuesday March 1, 2016, Las Vegas, NV Table of Contents Introduction Why Apps? What ONC is doing to advance use of Apps
More informationDavid Behinfar, JD, LLM, CHC, CIPP University of Florida College of Medicine Jacksonville UF Privacy Manager (904)
David Behinfar, JD, LLM, CHC, CIPP University of Florida College of Medicine Jacksonville UF Privacy Manager (904) 244 6229 david.behinfar@jax.ufl.edu 1 Presentation Summary High level Summary of the federal
More informationSecurity and Privacy Practices for Electronic Health Records. Joseph W. Hales, PhD, FACMI Intermountain Healthcare Salt Lake City, UT
Security and Privacy Practices for Electronic Health Records Joseph W. Hales, PhD, FACMI Intermountain Healthcare Salt Lake City, UT Intermountain Healthcare Formed 1975 Not-for-profit Integrated system
More informationPeek-A-Boo: EHR Access and Compliance
Peek-A-Boo: EHR Access and Compliance HCCA Compliance Institute Orlando, FL April 10, 2011 Miriam Murray, Sava Senior Care Andrea McElroy, Aurora Health Care This is a medical record, can I show it to
More informationPRIVACY BREACH MANAGEMENT GUIDELINES. Ministry of Justice Access and Privacy Branch
Ministry of Justice Access and Privacy Branch December 2015 Table of Contents December 2015 What is a privacy breach? 3 Preventing privacy breaches 3 Responding to privacy breaches 4 Step 1 Contain the
More informationSecurity Risk Analysis
Security Risk Analysis Risk analysis and risk management may be performed by reviewing and answering the following questions and keeping this review (with date and signature) for evidence of this analysis.
More informationUnderstanding the Privacy and Security Regulations
Omnibus Rule Update HIPAA Handbook for Long-Term Care Staff Understanding the Privacy and Security Regulations Kate Borten, CISSP, CISM Handbook for Long-Term Care Staff Understanding the Privacy and Security
More informationA general review of HIPAA standards and privacy practices 2016
A general review of HIPAA standards and privacy practices 2016 45 CFR, 164 Health Insurance Portability and Accountability Act Treatment, Payment and Healthcare Operations 42 CFR, Part 2, Confidentiality
More informationREVISED NOTICE OF PRIVACY PRACTICES ORIGINAL DATE: JANUARY 1, 2003 REVISED: JANUARY 16, 2014 REVISED: NOVEMBER 27, 2017 PLEASE REVIEW IT CAREFULLY
REVISED NOTICE OF PRIVACY PRACTICES ORIGINAL DATE: JANUARY 1, 2003 REVISED: JANUARY 16, 2014 REVISED: NOVEMBER 27, 2017 THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED
More informationPrivacy & Security: What You Need to Know
Privacy & Security: What You Need to Know DISCLAIMER: The views and opinions expressed in this presentation are those of the author and do not necessarily represent official policy or position of HIMSS.
More informationHIPAA Privacy and Security Training for Researchers
HIPAA Privacy and Security Training for Researchers Version April 2017 Mountain States Health Alliance Bringing Loving Care to Health Care 1 Course Objectives This learning course covers HIPAA, HITECH,
More informationConsumer View of Personal Information Risks
Navigating the ephi Minefield Meaningful Consent Meets the Restriction Requirements of the HIPAA Omnibus Rule Timothy Kelly, MS, MBA Standard Register Healthcare Consumer View of Personal Information Risks
More informationHIPAA Policies and Procedures Manual
UNIVERSITY of NORTH CAROLINA at CHAPEL HILL SCHOOL of NURSING HIPAA Policies and Procedures Manual November 2015 1 Table of Contents I. INTRODUCTION... 3 A. GENERAL POLICY... 3 B. SCOPE... 3 II. DEFINITIONS...
More informationWhat is your start date? (Date in which you plan to begin seeing patients in the hospital). Specialty SECTION I. IDENTIFICATION DATA
This Application is for Non-employed Clinical Assistants (RN, dental assistant, orthotist, etc) who wish to assist a supervising physician at one or more of our facilities. Advanced Practice Nurses (CRNA,
More informationSafeguarding Healthcare Information. By:
Safeguarding Healthcare Information By: Jamal Ibrahim Enterprise Info Security ICTN 4040-602 Spring 2015 Instructors: Dr. Phillip Lunsford & Mrs. Constance Bohan Abstract Protection of healthcare information
More informationPARAGOULD DOCTORS CLINIC PRIVACY NOTICE
PARAGOULD DOCTORS CLINIC PRIVACY NOTICE Protected Health Information THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE
More informationHealth Information Privacy Policies and Procedures
University of the Pacific Arthur A. Dugoni School of Dentistry Health Information Privacy Policies and s These Health Information Privacy Policies & s implement our obligations to protect the privacy of
More informationOVERVIEW OF THE USES AND DISCLOSURES OF PHI
PRIVACY 24.0 OVERVIEW OF THE USES AND DISCLOSURES OF PHI Scope: Purpose: All workforce members (employees and non-employees), including employed medical staff, management, and others who have direct or
More informationHeadline News: Anatomy of a VIP Records Breach
Watch the Replay Headline News: Anatomy of a VIP Records Breach Executive Series Webinar September 24, 2014 Today s Panel Kim Roberts, MS, RHIA, CHP Privacy Specialist Sparrow Health System kim.roberts@sparrow.org
More informationAlignment. Alignment Healthcare
Alignment CODE OF CONDUCT Alignment Healthcare Our commitment to ethical conduct and compliance depends on all Alignment Healthcare personnel. If you find yourself in an ethical dilemma or suspect inappropriate
More informationWhat to do When Faced With a Privacy Breach: Guidelines for the Health Sector. ANN CAVOUKIAN, Ph.D. COMMISSIONER
What to do When Faced With a Privacy Breach: Guidelines for the Health Sector ANN CAVOUKIAN, Ph.D. COMMISSIONER INFORMATION AND PRIVACY COMMISSIONER OF ONTARIO Table of Contents What is a privacy breach?...1
More informationTechnology Standards of Practice
2016 Technology Standards of Practice Used with permission from the Association of Social Work Boards (2016) Table of Contents Technology Standards of Practice 2 Definitions 2 Section 1 Practitioner Competence
More informationOutsourcing Guidelines. for Financial Institutions DRAFT (FOR CONSULTATION)
Outsourcing Guidelines for Financial Institutions DRAFT (FOR CONSULTATION) October 2015 Table of Contents 1. INTRODUCTION... 3 2. DEFINITIONS... 3 3. PURPOSE, APPLICATION AND SCOPE... 4 4. TRANSITION PERIOD...
More informationMemorial Hermann Information Exchange. MHiE POLICIES & PROCEDURES MANUAL
Memorial Hermann Information Exchange MHiE POLICIES & PROCEDURES MANUAL TABLE OF CONTENTS 1. Definitions 3 2. Hardware/Software Supported Platform Requirements 4 3. Anti-virus Software Requirement 4 4.
More informationWAKE FOREST BAPTIST HEALTH NOTICE OF PRIVACY PRACTICES
WAKE FOREST BAPTIST HEALTH NOTICE OF PRIVACY PRACTICES Effective April 14, 2003 Revised February 17, 2010 Revised September 23, 2013 Revised July 1, 2016 This Notice of Privacy Practices applies to the
More informationIRB 101. Rachel Langhofer Joan Rankin Shapiro Research Administration UA College of Medicine - Phoenix
IRB 101 Rachel Langhofer Joan Rankin Shapiro Research Administration UA College of Medicine - Phoenix Contents Brief discussion of regulations IRB Structure Levels of Approval Informed Consent HIPAA/HITECH
More informationOREGON HIPAA NOTICE FORM
MARCIA JOHNSTON WOOD, Ph.D. Clinical Psychologist 5441 SW Macadam, #104, Portland, OR 97239 Phone (503) 248-4511/ Fax (503) 248-6385 - Effective Sept.23, 2013 - (This copy for you to keep) OREGON HIPAA
More informationNotice of HIPAA Privacy Practices Updates
Notice of HIPAA Privacy Practices Updates The following is a summary of the updates to the privacy notice for Meridian Hospitals Corporation, Meridian Home Care Services, Inc., Meridian Nursing & Rehabilitation,
More informationGranny Cams in Long-Term Care: Rights, Responsibilities and the Law PRESENTED BY: TIMOTHY J. FORD, ESQ
Granny Cams in Long-Term Care: Rights, Responsibilities and the Law PRESENTED BY: TIMOTHY J. FORD, ESQ Reasons Why Families Might Seek to Use Granny Cameras 1. To check-in on loved ones 2. To confirm or
More informationReport of the Auditor General to the Nova Scotia House of Assembly. December Independence Integrity Impact
Report of the Auditor General to the Nova Scotia House of Assembly December 2014 Independence Integrity Impact November 19, 2014 Honourable Kevin Murphy Speaker House of Assembly Province of Nova Scotia
More informationPrivacy Toolkit for Social Workers and Social Service Workers Guide to the Personal Health Information Protection Act, 2004 (PHIPA)
Social Workers and Social Service Workers Guide to the Personal Health Information Protection Act, 2004 (PHIPA) COPYRIGHT 2005 BY ONTARIO COLLEGE OF SOCIAL WORKERS AND SOCIAL SERVICE WORKERS ALL RIGHTS
More informationIf you have any questions about this notice, please contact the SSHS Privacy Officer at:
Notice of Privacy Practices 0 Effective Date: April 14, 2003 Revision Date: July 15, 2016 South Shore Health System ( SSHS ) is an integrated health care delivery system. For a list of entities which comprise
More informationPRIVACY BREACH MANAGEMENT POLICY
\(.kon Education Education PRIVACY BREACH MANAGEMENT POLICY Effective Date: September 1, 2016 GENERAL INFORMATION Under the Access to Information and Protection of Privacy Act (A TIPP Act) public bodies
More informationPRIVACY IMPACT ASSESSMENT (PIA) For the
Aug 25, 2017 PRIVACY IMPACT ASSESSMENT (PIA) For the Business Continuity Planning System (BCPS) Defense Finance and Accounting Service SECTION 1: IS A PIA REQUIRED? a. Will this Department of Defense (DoD)
More informationTAKING CARE OF LIABILITY:
TAKING CARE OF LIABILITY: A Guide for Nurse Contractors, Independent Nurse Practitioners, and Travel Nursing Businesses TABLE OF CONTENTS An Introduction to Independent Nurses Liabilities...3 CHAPTER 1
More informationManaging Risks and Security in Outsourced Environment
Managing Risks and Security in Outsourced Environment Vincent Leung CISSP CISA CISM TOGAF Enterprise Architect - Information Security 19 May 2011 1 Contents 1. About Cathay Pacific Airways 2. Outsourcing
More informationSecurity and Risk considerations for outsourced IT Services EA InfoSec Conference,14/08/2013, version 1.0
Security and Risk considerations for outsourced IT Services EA InfoSec Conference,14/08/2013, version 1.0 Overview What is IT Outsourcing Why companies outsource IT Security and risk considerations Ensuring
More informationPRIVACY POLICY USES AND DISCLOSURES FOR TREATMENT, PAYMENT, AND HEALTH CARE OPERATIONS
PRIVACY POLICY As of April 14, 2003, the Federal regulation on patient information privacy, known as the Health Insurance Portability and Accountability Act (HIPAA), requires that we provide (in writing)
More informationFEDERAL AND STATE BREACH NOTIFICATION LAWS FOR CALIFORNIA
FEDERAL AND STATE BREACH NOTIFICATION LAWS FOR CALIFORNIA LEGAL CITATION California Civil Code Section 1798.82 California Health and Safety (H&S) Code Section 1280.15 42 U.S.C. Section 17932; 45 C.F.R.
More informationDUTIES OF A CUSTODIAN
DUTIES OF A CUSTODIAN SUMMARY OF CUSTODIAN DUTIES UNDER THE PERSONAL HEALTH INFORMATION ACT Custodians have legislated duties as outlined in the Act. A custodian is required to: 1. prepare and make readily
More informationResponding to Healthcare Industry Regulations Date: May 9, 2013
Adhering to Healthcare Industry Regulatory Requirements New laws and regulations governing the Healthcare industry have been recently upgraded and will require management to comply by September 23. 2013,
More informationFAFSA Completion Initiative Participation Agreement
Larry Hogan Governor Boyd K. Rutherford Lt. Governor Anwer Hasan Chairperson James D. Fielder, Jr., Ph. D. Secretary FAFSA Completion Initiative Participation Agreement This FAFSA Completion Initiative
More informationHIPAA Breach Policy & Procedures Handbook
HIPAA Breach Policy & Procedures Handbook TABLE OF CONTENTS PART 1: POLICY... 5 I. Introduction... 6 Purpose... 6 Rationale... 6 Policy Statement... 6 Scope... 7 Definitions... 7 EXCEPTIONS... 7 II. Responsibility...
More informationPolicy on Telecommuting
Page 1 of 9 PURPOSE: California State University Channel Islands supports telecommuting when the campus determines that telecommuting is in its best interest. Such instances for telecommuting
More informationHIPAA Privacy Rule. Best PHI Privacy Practices
HIPAA Privacy Rule Best PHI Privacy Practices Learning Objectives Define the acronym HIPAA. Understand your role and responsibilities under the privacy regulations. Know what patient s rights are in terms
More informationREVIEWED BY Leadership & Privacy Officer Medical Staff Board of Trust. Signed Administrative Approval On File
The Alexandra Hospital, Ingersoll PRIVACY POLICY SUBJECT-TITLE Privacy Policy REVIEWED BY Leadership & Privacy Officer Medical Staff Board of Trust DATE Oct 11, 2005 Nov 8, 2005 POLICY CODE DATE OF ORIGIN
More informationBreach Reporting and Safeguarding PHI Outpatient Services August, UAMS HIPAA Office Anita Westbrook
Breach Reporting and Safeguarding PHI Outpatient Services August, 2012 UAMS HIPAA Office Anita Westbrook Breaches and Breach Reporting Real Life Example An employee of a large hospital accidentally left
More informationASX CLEAR (FUTURES) OPERATING RULES Guidance Note 9
OFFSHORING AND OUTSOURCING The purpose of this Guidance Note The main points it covers To provide guidance to participants on some of the issues they need to address when offshoring or outsourcing their
More informationMURRAY MEDICAL CENTER HIPAA NOTICE OF PRIVACY PRACTICES
CW CR 618 Exhibit A MURRAY MEDICAL CENTER HIPAA NOTICE OF PRIVACY PRACTICES Effective Date: THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS
More information