B.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptx
Nine HIPAA Compliance Questions to ask Yourself
1. Privileged and Confidential Information
Nine HIPAA Compliance
Question to Ask Yourself
LERNER Consulting
2014
2. Privileged and Confidential Information
Sleep More Soundly
1
People sleep more soundly when they feel
secure. When you are well rested, your potential
grows.
Today’s enterprises face a laundry list of
challenges from ever evolving compliance
requirements to new technical environments to
cyberterrorism and extortionists.
Traditional security measures are at best response
driven or worse passive.
LERNER’s Compliance Practice helps you become
proactive towards the things that interfere with
your business.
Let us help you unlock your potential
Twitter: @RevInnovator
3. Privileged and Confidential Information
Food for Though Questions
1. How do you provide solutions that address optimal Required and
Addressable clauses?
2. Do you have or need full-time Chief Security and Privacy Officer(s)?
3. Have you completed the Omnibus updates?
4. Do you have a document management system that allows you to
quickly and easily retrieve the required documents?
5. How often do you review your IT Policies and Procedures?
6. Do you have a training program for both IT Security and HIPAA?
7. Must our organization comply with every clause?
8. What if we don’t (think) we handle any data? Must we be compliant?
9. Is a Business Associate the same as a Covered Entity?
2Twitter: @RevInnovator
4. Privileged and Confidential Information
HIPAA Compliance Services
3
We begin with a focused risk assessment, rather than addressing the flavor of the day. Our approach is to
take an assessment of how a set of risks or compliance needs impacts your enterprise. From there we
address develop the controls that effect people, process, technology and systems.
LERNER addresses the regulatory requirements and internal handoffs, providing clients with an alignment plan
to support business objectives and IT implementation. Internally there must be clear plans that include
communication to employees and partners. The implementation of a system helps support HIPAA processes
through automated action and process controls.
Assess Advise Resolve
Ac#vi#es
§ Iden#fy
relevant
HIPAA
mandates
(E.g.,
CFR
Title
45)
§ Select
HIPAA
processes
and
procedures
for
remedia#on
§ Gather
exis#ng
enterprise
processes
§ Perform
gap
analysis
§ Iden#fy
internal
stakeholders
§ Conduct
business
alignment
workshop(s)
§ Define/Create
process
maps
§ Iden#fy
controls
required
for:
§ Administra#ve
Safeguards
§ Physical
Safeguards
§ Technical
Safeguards
§ Organiza#onal
Requirements
§ Policies
and
Procedures
§ Other
required
controls
§ Develop
enterprise
specific
plans
§ Iden#fy
metrics
and
measurements
§ Implement
processes
§ Implement
system
implementa#on/updates
§ Test
implementa#on
and
controls
§ Provide
and
execute
communica#ons
plan
and
change
management
Deliverables
§ Internal
charter
§ Gap
Analysis
§ Implementa#on
roadmap
§ Integra#on/overlap
with
other
compliance
ac#vi#es
§ Finalized
process
maps
§ Define
processes,
new
roles/responsibili#es
as
required
§ Develop
documenta#on
§ Implementa#on
roadmap
§ Metrics
for
success
§ Systems
implementa#on
§ Change
management
and
communica#ons
plan
Twitter: @RevInnovator
5. Privileged and Confidential Information
Case Study: Systems Integrator – HIPAA Compliance
How we solved it
• LERNER was engaged to help the SI become HIPAA compliant. In a
seven step process we addressed key areas of compliance (e.g.,
Administrative Safeguards, Technical, Organizational, Physical
Safeguards)
– Did a comprehensive review of management policies and
business operations
– Wrote and implemented IT Policies and Procedures for end users
– Revised network and desktop architectures to support compliance
needs. Implemented security polices (encryption, password
management, firewall management, network penetration test)
– Developed physical security measures (e.g., keycards)
– Addressed specific payer needs (e.g., mobile device management)
– Served as Chief Security Officer for the client organization
– Developed and implement business continuity and disaster
recovery plans
– Worked with executive management to implement a Risk
Management plan with contingencies
4
Problem Statement
• Client is a Systems Integrator providing IT
services to large healthcare payers
• Client has access to both Protected Health and
Personally Identifiable Information. Access was
granted to production systems and databases
• An initial review of security features by a
healthcare payer found that Client was lacking
overall in HIPAA compliances
What the client achieved
• Compliance within six weeks
• Insurer awarded client one year contract for outsourcing
• Compliance for other Insurers
• A secure and compliant development center
Twitter: @RevInnovator
6. Privileged and Confidential Information
Lawrence I Lerner – Managing Director
5
Relevant accomplishments and highlights:
§ Author of four software methodologies for product and package selection. This includes Cognizant’s Portfolio Analysis which has been recognized
by the analyst community as a ground breaking for product transformation and development
§ Lead organizational redesign and process re-engineering for all of IT at Kimberly-Clark
§ Development of IT Security Policies for multiple organizations including the American Medical Association, Motorola, a New York based Civil Right
organization and other top brand companies
§ Global practice leader for IT Security Practice at Cognizant
§ Board member for PNI Digital Media, Audit Committee Member
Lawrence has over 25 years experience as a Digital Strategist for the world’s top brands. His background includes
development of eBusiness initiatives at PricewaterhouseCoopers, development of Cognizant Technology Solution’s
Business Technology and Advanced Solutions groups and creation of strategic solutions for UST Global. Lawrence has
over fifteen years in IT and business process outsourcing/offshoring and is widely sought after security and compliance
expert.
Lawrence is well known for bringing game changing programs to companies. He has extensive experience as a both
Chief Technology Officer and Business Strategist, taking core business needs and realizing them through technology.
His process consulting work has been recognized as “best in class” by Gartner in 2009
http://eon.businesswire.com/news/eon/20100518006108/en - “UST Global Completes Next Generation BPM Solution
for Catalina Marketing.” Catalina is the global leader in shopper-driven marketing solutions, providing brand
manufacturers, retailers and healthcare providers with shopper-driven marketing solutions to meet growth objectives
Previously Lawrence lead Cognizant and PwC IT (Chicago) Security Consulting practices and was responsible for the
development of services and client audits. He has been responsible for IT Security and audits since the late 90’s.
Lawrence was previously on the board of Directors for PNI Digital Media (TSX–V: PN; Now Staples). PNI is the premier
provider of digital solutions, housing over four petabytes of online photos, for the photo industry. He was an active
Director, providing governance and new product strategies
Twitter: @RevInnovator