SlideShare a Scribd company logo

HealthCare Compliance - HIPAA & HITRUST

K
Kimberly Simon MBA

This document discusses HIPAA compliance and the HITRUST framework. It provides an overview of HIPAA requirements including the Privacy Rule, Security Rule, and Breach Notification Rule. It outlines fines and penalties for non-compliance. It then discusses the mission and objectives of HITRUST, which provides a certifiable framework to demonstrate HIPAA compliance. Key components of HITRUST's CSF Assurance Program include standardized tools and processes to assess risk and compliance through a HITRUST report. Challenges in demonstrating HIPAA compliance and the case for using HITRUST are also reviewed.

Technology
1 of 19
Download to read offline
HealthCare Compliance - HIPAA and HITRUST Kishor Vaswani, CEO – ControlCase
Agenda • About HIPAA • HIPAA, HITECH and the Omni-bus Rule • Fines and Penalties • HIPAA Requirements • HITRUST Mission and Objective • Key Components of CSF Assurance Program • Demonstrating compliance to HIPAA through HITRUST • Key takeaways • Q&A 2/ 18
What is HIPAA today? Health Insurance Portability & Accountability Act of 1996 & HIPAA Omnibus Rule: • Establishes administrative, physical and technical security and privacy standards • Applies to both healthcare providers and business associates (3rd parties) • Attributes responsibility for monitoring HIPAA compliance of business associates to healthcare providers • Assessment of compliance of business associates due 09/23/13 3/ 18
HIPAA, HITECH and the Omni-bus Rule 4 / 18 HITECH • Specificallyextends security, privacy and breach notificationrequirements to Business Associates (BA) • Establishesmandatory penalties for ‘willful neglect’ • Imposes databreach notification requirementsfor unauthorizeduses and disclosures of "unsecured PHI.“ • Institutesthird party management and monitoring as ‘due diligences and ‘due care’ provisions • Establishesthe right for patientsto obtaintheir PHI in an electronic format (i.e. ePHI) Omni-bus Rule • Finalizationof interim rules outlined in the HITECH Act • Formalizes enforcement provisions for breaches • Expands definitionof BA to include subcontractorsof BA (BA of BA) • Clarifies that HHS will determine the actual maximum for penalties • Covered Entities (CE) and BA are liablefor the acts of BA and their subcontractors • Requires a on-going monitoring process for the organization’s security programs and processes.
Fines/Penalties HIPAA Violation Minimum Penalty Maximum Penalty Individualdid not know (and by exercising reasonablediligence would not have known) thathe/she violated HIPAA $100 per violation, with an annual maximum of $25,000 for repeat violations (Note: maximum that can be imposed by State Attorneys General regardless of the type of violation) $50,000 per violation, with an annual maximum of $1.5 million HIPAA violation due to reasonable causeand not due to willful neglect $1,000 per violation, with an annual maximum of $100,000 for repeat violations $50,000 per violation, with an annual maximum of $1.5 million HIPAA violation due to willful neglect but violation is corrected within the required time period $10,000 per violation, with an annual maximum of $250,000 for repeat violations $50,000 per violation, with an annual maximum of $1.5 million HIPAA violation is due to willful neglect and is not corrected $50,000 per violation, with an annual maximum of $1.5 million $50,000 per violation, with an annual maximum of $1.5 million 5 / 18 Source: http://www.ama-assn.org//ama/pub/physician-resources/solutions-managing-your-practice/coding-billing-insurance/hipaahealth-insurance-portability- accountability-act/hipaa-violations-enforcement.page
HIPAA Requirements – Privacy Rule Privacy Rule Main Points: • Requires appropriate safeguards to protect the privacy of personal health information • Sets limits and conditions on the uses and disclosures that maybe made of such information without patient authorization • Gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections • Requires compliance with the Security Rule For BAs • Requires breach notification to the Covered Entity • Requires either the individual or the Covered Entity access to PHI • Requires reporting the disclosure of PHI to the Secretary of HHS • Provide an accounting of disclosures. Source: http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html 6/ 18
HIPAA Requirements – Security Rule Administrative Safeguards: Security Management Process (Risk Analysis(required), Risk Management (required), SanctionPolicy (required), InformationSystems Activity Reviews (required), Assigned Security Responsibility - Officers (required), Workforce Security - Employee Oversight (addressable), Information Access Management - Multiple Organizations(required) and ePHI Access (addressable); Security Awarenessand Training - Security Reminders(addressable), Protection Against Malware (addressable), LoginMonitoring (addressable); PasswordManagement (addressable), Security IncidentProcedures - Response andReporting (required),Contingency Plans (required); Evaluations (required); Business Associate Agreements (required) Source: http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html Technical Safeguards: Access Control- Unique User Identification(required), Emergency AccessProcedure (required), Automatic Logoff (addressable), EncryptionandDecryption (addressable); Audit Controls (required); Integrity - Mechanismto Authenticate ePHI (addressable); Authentication (required); Transmission Security - Integrity Controls (addressable), Encryption (addressable) Source: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/techsafeguards.pdf Physical Safeguards: Facility Access Controls - Contingency Operations (addressable), Facility Security Plan (addressable), Access Control and ValidationProcedures (addressable), MaintenanceRecords (addressable), WorkstationSecurity (required), Deviceand Media Controls - Disposal (required), MediaRe-Use (required), DataBackupandStorage (addressable) Source: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/physsafeguards.pdf 7/ 18
HIPAA Requirements – Breach Notification 8/ 18 Definitionof Breach A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information. Unsecure PHI Transition and Storage: NIST Special Publication 800-111, NIST Special Publications 800-52, 800-77 or Federal Information Processing Standards (FIPS) 140-2 validated Destruction: Specifies physical and electronic PHI, for electronic, NIST Special Publication 800-88 Breach Notification Methods: By email or first class mail, to the media, posting the notice on the home page of its web site for at least 90 days, If BA, to the CE, within 60 days of determination NotificationThresholds > 500 records: notify HHS, to individuals and media, within 60 days < 500 records: notify HHS, annually consolidated listing Burden of Proof CEs/BAs required to prove that they have notified the affected parties within the time periods specified or face penalties
HIPAA Requirements – BAs and subcontractors • Comply directly with the HIPAA Regulation • Business associates must identify, assess and monitor their supporting business associates (BAs of BAs) and provide regular updates to the respective CE • BAs must establish and define (contractually) security requirements, right to audit, incident reporting clauses with their service providers • BAs must implement an effective monitoring/assessment process based on the nature of the data exchanged with service providers • Be able to show due diligence/due care with respect to monitoring their supplier’s security compliance 9/ 18
HITRUST Mission and Objectives Founded in 2007, HITRUST Alliance is a not-for-profit organization whose mission is to champion programs that safeguard sensitive information and manage information risk for organizations across all industries and throughout the third-party supply chain. Key focus: • Increase the protection ofprotected health and other sensitive information • Mitigate and aid in the management ofrisk associated with health information • Contain and manage costs associated with appropriatelyprotectingsensitiveinformation • Increase consumer and governments’confidence in the industry's abilityto safeguard health information • Address increasingconcerns associated with business associate and 3rd partyprivacy,securityand compliance • Work with federal and state governments and agencies and other oversight bodies to collaborate with industryon informationprotection • Facilitate sharingand collaborationrelatingto informationprotection amongstand between healthcare organizations ofvaryingtypes and sizes • Enhance and mature the knowledge and competency of health informationprotection professionals 10 / 18
HITRUST Overview • Exists to ensure that information security becomes a core pillar of, rather than an obstacle to, the broad adoption of health information systems and exchanges. • Was born out of the belief that information security is critical to the broad adoption, utilization and confidence in health information systems, medical technologies and electronic exchanges of health information. • Is collaborating with healthcare, business, technology and information security leaders, all of whom are united by the belief that adopting a higher level of standard security practices will build greater trust in the electronic flow of information through the healthcare system. • Has established a certifiable framework that any and all organizations in the healthcare industry that create, access, store or exchange personal health and financial information can implement and be certified against. 11 / 18
Strategic Objectives of HITRUST Establisha fundamentaland holistic change in the way the healthcareindustry manages informationsecurity risks: • Rationalizeregulationsand standardsinto a single overarching framework tailored for the industry • Deliver a prescriptive, scalable and certifiable process • Address inconsistentapproaches to certification,risk acceptance and adoptionof compensating controlsto eliminateambiguityin the process • Enableabilityto cost-effectively monitor compliance of organizational,business partner and governmentalrequirements • Provide support and facilitatesharing of ideas, feedback and experiences within the industry Establishtrust between organizationswithin the healthcareindustry that exchanged information is protected Develop an approach for the practical,efficient and consistent adoptionof security by the healthcareindustry 12 / 18
Standardized tools and processes • Questionnaire › Focus assurance dollars to efficiently assess risk exposure › Measured approach based on risk and compliance › Ability to escalate assurance level based on risk •Report › Output that is consistently interpreted across the industry Cost effective and rigorous assurance • Multiple assurance options based on risk • Quality control processes to ensure consistent quality and output across HITRUST CSF Assessors • Streamlined and measurable process within MyCSF tool • End User support 13 / 18 Key Components of CSF Assurance Program
HITRUST Report • Certified/validated report issued by HITRUST based on work of independent third-party assessors › Business/functional/organizational units that meet the associated criteria • Assessmentcontext and scope of systems included in assessment • Breakdown of CSF control areas with a comparison to industry › Includes maturity scores • Testing summary, corrective action plans, and completed questionnaire 14 / 18
Challenges: Demonstrating Compliance to HIPAA and case for using HITRUST 15 / 18 • Risk Assessments – Not performed/not updated or documented – Limited scope: facilities, processing environment, personnel, software, personnel – Not aligned with controls or monitoring • Inventories (Asset Management) – Out of date/not documented hardware, software, interfaces, dataflow diagrams/process descriptions, removable media, teleworkers (remote), BAs and subcontractors • No BA/Vendor Management program • Policies, procedures and standards (Governance) • Hardening and patch management – None or not implemented – Not monitored/No follow-up – End-of-life • Vulnerability Management – Inconsistent/incomplete internal vulnerability and penetration testing for networks and applications – Remediation gaps – No Internet content restrictions
Contd… 16 / 18 • System Logging and Monitoring – Not implemented/inconsistent – Not retainedor analyzed – Lack of oversight and approval • None or inconsistent encryption of data in transmission or storage • Media management and tracking gaps • Untestedincident and breach response processes for PHI related disclosures • User Provisioning – Excessive privileges/accesses – No formal documentationof rationale – Lack of oversight and approval • Training and awareness – Not HIPAA oriented – No refresh – Lack of evidence of attendance • Inadequate business continuity and disaster recover • Failure to monitor external maintenance personnel
Why Choose ControlCase? • Global Reach › Serving more than 400 clients in 40 countries and rapidly growing • Certified Resources › HITRUST Assessor › PCI DSS Qualified Security Assessor(QSA) › SOC1. SOC2 › QSA for Point-to-Point Encryption (QSA P2PE) › Certified ASV vendor › ISO 27001 Assessor › HIPAA Audits 17 / 18
To Learn More … 18/ 18 Visit www.controlcase.com Email us at contact@controlcase.com
Q & A

Recommended

HealthCare Compliance - HIPAA and HITRUST
HealthCare Compliance - HIPAA and HITRUSTHealthCare Compliance - HIPAA and HITRUST
HealthCare Compliance - HIPAA and HITRUST
Kimberly Simon MBA
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)
Kimberly Simon MBA
 
Healthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUSTHealthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUST
ControlCase
 
Hitrust: Navigating to 2017, Your Map to HITRUST Certification
Hitrust: Navigating to 2017, Your Map to HITRUST CertificationHitrust: Navigating to 2017, Your Map to HITRUST Certification
Hitrust: Navigating to 2017, Your Map to HITRUST Certification
Schellman & Company
 
Hitrust csf-assurance-program-requirements-v1 3-final
Hitrust csf-assurance-program-requirements-v1 3-finalHitrust csf-assurance-program-requirements-v1 3-final
Hitrust csf-assurance-program-requirements-v1 3-final
ajcob123
 
Common Security Framework Summary
Common Security Framework SummaryCommon Security Framework Summary
Common Security Framework Summary
Jason Rusch - CISSP CGEIT CISM CISA GNSA
 
Get Ready Now for HITRUST 2017
Get Ready Now for HITRUST 2017Get Ready Now for HITRUST 2017
Get Ready Now for HITRUST 2017
Schellman & Company
 
Cyberinsurance 111006
Cyberinsurance 111006Cyberinsurance 111006
Cyberinsurance 111006
JNicholson
 

Recommended

HealthCare Compliance - HIPAA and HITRUST
HealthCare Compliance - HIPAA and HITRUSTHealthCare Compliance - HIPAA and HITRUST
HealthCare Compliance - HIPAA and HITRUST
Kimberly Simon MBA
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)
Kimberly Simon MBA
 
Healthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUSTHealthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUST
ControlCase
 
Hitrust: Navigating to 2017, Your Map to HITRUST Certification
Hitrust: Navigating to 2017, Your Map to HITRUST CertificationHitrust: Navigating to 2017, Your Map to HITRUST Certification
Hitrust: Navigating to 2017, Your Map to HITRUST Certification
Schellman & Company
 
Hitrust csf-assurance-program-requirements-v1 3-final
Hitrust csf-assurance-program-requirements-v1 3-finalHitrust csf-assurance-program-requirements-v1 3-final
Hitrust csf-assurance-program-requirements-v1 3-final
ajcob123
 
Common Security Framework Summary
Common Security Framework SummaryCommon Security Framework Summary
Common Security Framework Summary
Jason Rusch - CISSP CGEIT CISM CISA GNSA
 
Get Ready Now for HITRUST 2017
Get Ready Now for HITRUST 2017Get Ready Now for HITRUST 2017
Get Ready Now for HITRUST 2017
Schellman & Company
 
Cyberinsurance 111006
Cyberinsurance 111006Cyberinsurance 111006
Cyberinsurance 111006
JNicholson
 
You and HIPAA - Get the Facts
You and HIPAA - Get the FactsYou and HIPAA - Get the Facts
You and HIPAA - Get the Facts
resourceone
 
UoF - HITRUST & Risk Analysis v1
UoF - HITRUST & Risk Analysis v1UoF - HITRUST & Risk Analysis v1
UoF - HITRUST & Risk Analysis v1
Bryan Cline, Ph.D.
 
HITRUST CSF Meaningful use risk assessment
HITRUST CSF Meaningful use risk assessmentHITRUST CSF Meaningful use risk assessment
HITRUST CSF Meaningful use risk assessment
Vinit Thakur
 
A brief introduction to hipaa compliance
A brief introduction to hipaa complianceA brief introduction to hipaa compliance
A brief introduction to hipaa compliance
Prince George
 
HIPAA Access Medical Records by Sainsbury-Wong
HIPAA Access Medical Records by Sainsbury-WongHIPAA Access Medical Records by Sainsbury-Wong
HIPAA Access Medical Records by Sainsbury-Wong
Lorianne Sainsbury-Wong
 
An Essential Guide to EU GDPR
An Essential Guide to EU GDPRAn Essential Guide to EU GDPR
An Essential Guide to EU GDPR
Tripwire
 
The HIPAA Security Rule: Yes, It's Your Problem
The HIPAA Security Rule: Yes, It's Your ProblemThe HIPAA Security Rule: Yes, It's Your Problem
The HIPAA Security Rule: Yes, It's Your Problem
SecurityMetrics
 
7 Key GDPR Requirements & the Role of Data Governance
7 Key GDPR Requirements & the Role of Data Governance7 Key GDPR Requirements & the Role of Data Governance
7 Key GDPR Requirements & the Role of Data Governance
DATUM LLC
 
MindLeaf - HIPAA privacy and cybersecurity insurance
MindLeaf - HIPAA privacy and cybersecurity insuranceMindLeaf - HIPAA privacy and cybersecurity insurance
MindLeaf - HIPAA privacy and cybersecurity insurance
mindleaftechnologies
 
Data Privacy & Security
Data Privacy & SecurityData Privacy & Security
Data Privacy & Security
Eryk Budi Pratama
 
Red7 Medical Identity Security and Data Protection
Red7 Medical Identity Security and Data ProtectionRed7 Medical Identity Security and Data Protection
Red7 Medical Identity Security and Data Protection
Robert Grupe, CSSLP CISSP PE PMP
 
GDPR in practice
GDPR in practiceGDPR in practice
GDPR in practice
ZoneFox
 
Healthcare and Cyber security
Healthcare and Cyber securityHealthcare and Cyber security
Healthcare and Cyber security
Brian Matteson, CISSP CISA
 
What Covered Entities Need to Know about OCR HIPAA Audit​s
What Covered Entities Need to Know about OCR HIPAA Audit​sWhat Covered Entities Need to Know about OCR HIPAA Audit​s
What Covered Entities Need to Know about OCR HIPAA Audit​s
Iatric Systems
 
Is it time for an IT Assessment?
Is it time for an IT Assessment?Is it time for an IT Assessment?
Is it time for an IT Assessment?
Raffa Learning Community
 
HIPAA HiTech Security Assessment
HIPAA HiTech Security AssessmentHIPAA HiTech Security Assessment
HIPAA HiTech Security Assessment
data brackets
 
Privacy and the GDPR: How Cloud computing could be your failing
Privacy and the GDPR: How Cloud computing could be your failingPrivacy and the GDPR: How Cloud computing could be your failing
Privacy and the GDPR: How Cloud computing could be your failing
IT Governance Ltd
 
Mbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk AssessmentMbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk Assessment
MBMeHealthCareSolutions
 
Sensitive data
Sensitive dataSensitive data
Sensitive data
S.M. Towhidul Islam
 
Avior Healthcare Security Compliance Webcast Final1
Avior Healthcare Security Compliance Webcast Final1Avior Healthcare Security Compliance Webcast Final1
Avior Healthcare Security Compliance Webcast Final1
jhietala
 
Health care compliance webinar may 10 2017
Health care compliance webinar may 10 2017Health care compliance webinar may 10 2017
Health care compliance webinar may 10 2017
Kimberly Simon MBA
 
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT SecurityRedspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin, Inc.
 

More Related Content

What's hot

You and HIPAA - Get the Facts
You and HIPAA - Get the FactsYou and HIPAA - Get the Facts
You and HIPAA - Get the Facts
resourceone
 
UoF - HITRUST & Risk Analysis v1
UoF - HITRUST & Risk Analysis v1UoF - HITRUST & Risk Analysis v1
UoF - HITRUST & Risk Analysis v1
Bryan Cline, Ph.D.
 
HITRUST CSF Meaningful use risk assessment
HITRUST CSF Meaningful use risk assessmentHITRUST CSF Meaningful use risk assessment
HITRUST CSF Meaningful use risk assessment
Vinit Thakur
 
A brief introduction to hipaa compliance
A brief introduction to hipaa complianceA brief introduction to hipaa compliance
A brief introduction to hipaa compliance
Prince George
 
HIPAA Access Medical Records by Sainsbury-Wong
HIPAA Access Medical Records by Sainsbury-WongHIPAA Access Medical Records by Sainsbury-Wong
HIPAA Access Medical Records by Sainsbury-Wong
Lorianne Sainsbury-Wong
 
An Essential Guide to EU GDPR
An Essential Guide to EU GDPRAn Essential Guide to EU GDPR
An Essential Guide to EU GDPR
Tripwire
 
The HIPAA Security Rule: Yes, It's Your Problem
The HIPAA Security Rule: Yes, It's Your ProblemThe HIPAA Security Rule: Yes, It's Your Problem
The HIPAA Security Rule: Yes, It's Your Problem
SecurityMetrics
 
7 Key GDPR Requirements & the Role of Data Governance
7 Key GDPR Requirements & the Role of Data Governance7 Key GDPR Requirements & the Role of Data Governance
7 Key GDPR Requirements & the Role of Data Governance
DATUM LLC
 
MindLeaf - HIPAA privacy and cybersecurity insurance
MindLeaf - HIPAA privacy and cybersecurity insuranceMindLeaf - HIPAA privacy and cybersecurity insurance
MindLeaf - HIPAA privacy and cybersecurity insurance
mindleaftechnologies
 
Data Privacy & Security
Data Privacy & SecurityData Privacy & Security
Data Privacy & Security
Eryk Budi Pratama
 
Red7 Medical Identity Security and Data Protection
Red7 Medical Identity Security and Data ProtectionRed7 Medical Identity Security and Data Protection
Red7 Medical Identity Security and Data Protection
Robert Grupe, CSSLP CISSP PE PMP
 
GDPR in practice
GDPR in practiceGDPR in practice
GDPR in practice
ZoneFox
 
Healthcare and Cyber security
Healthcare and Cyber securityHealthcare and Cyber security
Healthcare and Cyber security
Brian Matteson, CISSP CISA
 
What Covered Entities Need to Know about OCR HIPAA Audit​s
What Covered Entities Need to Know about OCR HIPAA Audit​sWhat Covered Entities Need to Know about OCR HIPAA Audit​s
What Covered Entities Need to Know about OCR HIPAA Audit​s
Iatric Systems
 
Is it time for an IT Assessment?
Is it time for an IT Assessment?Is it time for an IT Assessment?
Is it time for an IT Assessment?
Raffa Learning Community
 
HIPAA HiTech Security Assessment
HIPAA HiTech Security AssessmentHIPAA HiTech Security Assessment
HIPAA HiTech Security Assessment
data brackets
 
Privacy and the GDPR: How Cloud computing could be your failing
Privacy and the GDPR: How Cloud computing could be your failingPrivacy and the GDPR: How Cloud computing could be your failing
Privacy and the GDPR: How Cloud computing could be your failing
IT Governance Ltd
 
Mbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk AssessmentMbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk Assessment
MBMeHealthCareSolutions
 
Sensitive data
Sensitive dataSensitive data
Sensitive data
S.M. Towhidul Islam
 
Avior Healthcare Security Compliance Webcast Final1
Avior Healthcare Security Compliance Webcast Final1Avior Healthcare Security Compliance Webcast Final1
Avior Healthcare Security Compliance Webcast Final1
jhietala
 

What's hot (20)

You and HIPAA - Get the Facts
You and HIPAA - Get the FactsYou and HIPAA - Get the Facts
You and HIPAA - Get the Facts
 
UoF - HITRUST & Risk Analysis v1
UoF - HITRUST & Risk Analysis v1UoF - HITRUST & Risk Analysis v1
UoF - HITRUST & Risk Analysis v1
 
HITRUST CSF Meaningful use risk assessment
HITRUST CSF Meaningful use risk assessmentHITRUST CSF Meaningful use risk assessment
HITRUST CSF Meaningful use risk assessment
 
A brief introduction to hipaa compliance
A brief introduction to hipaa complianceA brief introduction to hipaa compliance
A brief introduction to hipaa compliance
 
HIPAA Access Medical Records by Sainsbury-Wong
HIPAA Access Medical Records by Sainsbury-WongHIPAA Access Medical Records by Sainsbury-Wong
HIPAA Access Medical Records by Sainsbury-Wong
 
An Essential Guide to EU GDPR
An Essential Guide to EU GDPRAn Essential Guide to EU GDPR
An Essential Guide to EU GDPR
 
The HIPAA Security Rule: Yes, It's Your Problem
The HIPAA Security Rule: Yes, It's Your ProblemThe HIPAA Security Rule: Yes, It's Your Problem
The HIPAA Security Rule: Yes, It's Your Problem
 
7 Key GDPR Requirements & the Role of Data Governance
7 Key GDPR Requirements & the Role of Data Governance7 Key GDPR Requirements & the Role of Data Governance
7 Key GDPR Requirements & the Role of Data Governance
 
MindLeaf - HIPAA privacy and cybersecurity insurance
MindLeaf - HIPAA privacy and cybersecurity insuranceMindLeaf - HIPAA privacy and cybersecurity insurance
MindLeaf - HIPAA privacy and cybersecurity insurance
 
Data Privacy & Security
Data Privacy & SecurityData Privacy & Security
Data Privacy & Security
 
Red7 Medical Identity Security and Data Protection
Red7 Medical Identity Security and Data ProtectionRed7 Medical Identity Security and Data Protection
Red7 Medical Identity Security and Data Protection
 
GDPR in practice
GDPR in practiceGDPR in practice
GDPR in practice
 
Healthcare and Cyber security
Healthcare and Cyber securityHealthcare and Cyber security
Healthcare and Cyber security
 
What Covered Entities Need to Know about OCR HIPAA Audit​s
What Covered Entities Need to Know about OCR HIPAA Audit​sWhat Covered Entities Need to Know about OCR HIPAA Audit​s
What Covered Entities Need to Know about OCR HIPAA Audit​s
 
Is it time for an IT Assessment?
Is it time for an IT Assessment?Is it time for an IT Assessment?
Is it time for an IT Assessment?
 
HIPAA HiTech Security Assessment
HIPAA HiTech Security AssessmentHIPAA HiTech Security Assessment
HIPAA HiTech Security Assessment
 
Privacy and the GDPR: How Cloud computing could be your failing
Privacy and the GDPR: How Cloud computing could be your failingPrivacy and the GDPR: How Cloud computing could be your failing
Privacy and the GDPR: How Cloud computing could be your failing
 
Mbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk AssessmentMbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk Assessment
 
Sensitive data
Sensitive dataSensitive data
Sensitive data
 
Avior Healthcare Security Compliance Webcast Final1
Avior Healthcare Security Compliance Webcast Final1Avior Healthcare Security Compliance Webcast Final1
Avior Healthcare Security Compliance Webcast Final1
 

Similar to HealthCare Compliance - HIPAA & HITRUST

Health care compliance webinar may 10 2017
Health care compliance webinar may 10 2017Health care compliance webinar may 10 2017
Health care compliance webinar may 10 2017
Kimberly Simon MBA
 
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT SecurityRedspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin, Inc.
 
Health Insurance Portability and Accountability Act (HIPAA) Compliance
Health Insurance Portability and Accountability Act (HIPAA) ComplianceHealth Insurance Portability and Accountability Act (HIPAA) Compliance
Health Insurance Portability and Accountability Act (HIPAA) Compliance
ControlCase
 
Becoming HITECH - 9/2009
Becoming HITECH - 9/2009Becoming HITECH - 9/2009
Becoming HITECH - 9/2009
rogersons
 
HIPAA Security 2019
HIPAA Security 2019HIPAA Security 2019
HIPAA Security 2019
Jose Ivan Delgado, Ph.D.
 
Hipaa for business associates simple
Hipaa for business associates simpleHipaa for business associates simple
Hipaa for business associates simple
Jose Ivan Delgado, Ph.D.
 
Hi paa and eh rs
Hi paa and eh rsHi paa and eh rs
Hi paa and eh rs
supportc2go
 
HIPAA/HITECH Requirements for FQHCs and the New Omnibus Rule
HIPAA/HITECH Requirements for FQHCs and the New Omnibus RuleHIPAA/HITECH Requirements for FQHCs and the New Omnibus Rule
HIPAA/HITECH Requirements for FQHCs and the New Omnibus Rule
Michigan Primary Care Association
 
The importance of hipaa compliance and training
The importance of hipaa compliance and trainingThe importance of hipaa compliance and training
The importance of hipaa compliance and training
LaDavia Day, MHA, BS
 
Maninging Risk Exposure in Meaningful Use Stage 2
Maninging Risk Exposure in Meaningful Use Stage 2Maninging Risk Exposure in Meaningful Use Stage 2
Maninging Risk Exposure in Meaningful Use Stage 2
Compliancy Group
 
Business Associates: How to become HIPAA compliant, increase revenue, and gai...
Business Associates: How to become HIPAA compliant, increase revenue, and gai...Business Associates: How to become HIPAA compliant, increase revenue, and gai...
Business Associates: How to become HIPAA compliant, increase revenue, and gai...
Compliancy Group
 
How good we are in adhering HIPAA rules
How good we are in adhering HIPAA rulesHow good we are in adhering HIPAA rules
How good we are in adhering HIPAA rules
Medical Transcriptions Service
 
Hipaa audits and enforcement
Hipaa audits and enforcementHipaa audits and enforcement
Hipaa audits and enforcement
supportc2go
 
how to really implement hipaa presentation
how to really implement hipaa presentationhow to really implement hipaa presentation
how to really implement hipaa presentation
Provider Resources Group
 
HIPAA 101- What all Doctors NEED to know
HIPAA 101- What all Doctors NEED to knowHIPAA 101- What all Doctors NEED to know
HIPAA 101- What all Doctors NEED to know
Compliancy Group
 
Hipaa audits and enforcement
Hipaa audits and enforcementHipaa audits and enforcement
Hipaa audits and enforcement
supportc2go
 
Hi paa and eh rs
Hi paa and eh rsHi paa and eh rs
Hi paa and eh rs
supportc2go
 
Hitech changes-to-hipaa
Hitech changes-to-hipaaHitech changes-to-hipaa
Hitech changes-to-hipaa
geeksikh
 
Role-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
Role-Based Access Governance and HIPAA Compliance: A Pragmatic ApproachRole-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
Role-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
EMC
 
MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...
MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...
MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...
Michigan Primary Care Association
 

Similar to HealthCare Compliance - HIPAA & HITRUST (20)

Health care compliance webinar may 10 2017
Health care compliance webinar may 10 2017Health care compliance webinar may 10 2017
Health care compliance webinar may 10 2017
 
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT SecurityRedspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
 
Health Insurance Portability and Accountability Act (HIPAA) Compliance
Health Insurance Portability and Accountability Act (HIPAA) ComplianceHealth Insurance Portability and Accountability Act (HIPAA) Compliance
Health Insurance Portability and Accountability Act (HIPAA) Compliance
 
Becoming HITECH - 9/2009
Becoming HITECH - 9/2009Becoming HITECH - 9/2009
Becoming HITECH - 9/2009
 
HIPAA Security 2019
HIPAA Security 2019HIPAA Security 2019
HIPAA Security 2019
 
Hipaa for business associates simple
Hipaa for business associates simpleHipaa for business associates simple
Hipaa for business associates simple
 
Hi paa and eh rs
Hi paa and eh rsHi paa and eh rs
Hi paa and eh rs
 
HIPAA/HITECH Requirements for FQHCs and the New Omnibus Rule
HIPAA/HITECH Requirements for FQHCs and the New Omnibus RuleHIPAA/HITECH Requirements for FQHCs and the New Omnibus Rule
HIPAA/HITECH Requirements for FQHCs and the New Omnibus Rule
 
The importance of hipaa compliance and training
The importance of hipaa compliance and trainingThe importance of hipaa compliance and training
The importance of hipaa compliance and training
 
Maninging Risk Exposure in Meaningful Use Stage 2
Maninging Risk Exposure in Meaningful Use Stage 2Maninging Risk Exposure in Meaningful Use Stage 2
Maninging Risk Exposure in Meaningful Use Stage 2
 
Business Associates: How to become HIPAA compliant, increase revenue, and gai...
Business Associates: How to become HIPAA compliant, increase revenue, and gai...Business Associates: How to become HIPAA compliant, increase revenue, and gai...
Business Associates: How to become HIPAA compliant, increase revenue, and gai...
 
How good we are in adhering HIPAA rules
How good we are in adhering HIPAA rulesHow good we are in adhering HIPAA rules
How good we are in adhering HIPAA rules
 
Hipaa audits and enforcement
Hipaa audits and enforcementHipaa audits and enforcement
Hipaa audits and enforcement
 
how to really implement hipaa presentation
how to really implement hipaa presentationhow to really implement hipaa presentation
how to really implement hipaa presentation
 
HIPAA 101- What all Doctors NEED to know
HIPAA 101- What all Doctors NEED to knowHIPAA 101- What all Doctors NEED to know
HIPAA 101- What all Doctors NEED to know
 
Hipaa audits and enforcement
Hipaa audits and enforcementHipaa audits and enforcement
Hipaa audits and enforcement
 
Hi paa and eh rs
Hi paa and eh rsHi paa and eh rs
Hi paa and eh rs
 
Hitech changes-to-hipaa
Hitech changes-to-hipaaHitech changes-to-hipaa
Hitech changes-to-hipaa
 
Role-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
Role-Based Access Governance and HIPAA Compliance: A Pragmatic ApproachRole-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
Role-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
 
MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...
MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...
MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...
 

More from Kimberly Simon MBA

PCI DSSand PA DSS
PCI DSSand PA DSSPCI DSSand PA DSS
PCI DSSand PA DSS
Kimberly Simon MBA
 
Introduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationIntroduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) Certification
Kimberly Simon MBA
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSS
Kimberly Simon MBA
 
Data Discovery and PCI DSS
Data Discovery and PCI DSSData Discovery and PCI DSS
Data Discovery and PCI DSS
Kimberly Simon MBA
 
PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)
Kimberly Simon MBA
 
EU's General Data Protection Regulation (GDPR)
EU's General Data Protection Regulation (GDPR)EU's General Data Protection Regulation (GDPR)
EU's General Data Protection Regulation (GDPR)
Kimberly Simon MBA
 
PCI Compliance in the Cloud
PCI Compliance in the CloudPCI Compliance in the Cloud
PCI Compliance in the Cloud
Kimberly Simon MBA
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Kimberly Simon MBA
 
Integrated Compliance
Integrated ComplianceIntegrated Compliance
Integrated Compliance
Kimberly Simon MBA
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
Kimberly Simon MBA
 
Log Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity MonitoringLog Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity Monitoring
Kimberly Simon MBA
 
Card Data Discovery and PCI DSS
Card Data Discovery and PCI DSSCard Data Discovery and PCI DSS
Card Data Discovery and PCI DSS
Kimberly Simon MBA
 
Continual Compliance Monitoring
Continual Compliance MonitoringContinual Compliance Monitoring
Continual Compliance Monitoring
Kimberly Simon MBA
 
PCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualPCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as Usual
Kimberly Simon MBA
 
PCI Compliance in the Cloud
PCI Compliance in the CloudPCI Compliance in the Cloud
PCI Compliance in the Cloud
Kimberly Simon MBA
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Kimberly Simon MBA
 
PCI DSS 3.2
PCI DSS 3.2PCI DSS 3.2
PCI DSS 3.2
Kimberly Simon MBA
 
Integrated Compliance
Integrated ComplianceIntegrated Compliance
Integrated Compliance
Kimberly Simon MBA
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSS
Kimberly Simon MBA
 
PCI DSS Business as Usual
PCI DSS Business as UsualPCI DSS Business as Usual
PCI DSS Business as Usual
Kimberly Simon MBA
 

More from Kimberly Simon MBA (20)

PCI DSSand PA DSS
PCI DSSand PA DSSPCI DSSand PA DSS
PCI DSSand PA DSS
 
Introduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationIntroduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) Certification
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSS
 
Data Discovery and PCI DSS
Data Discovery and PCI DSSData Discovery and PCI DSS
Data Discovery and PCI DSS
 
PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)
 
EU's General Data Protection Regulation (GDPR)
EU's General Data Protection Regulation (GDPR)EU's General Data Protection Regulation (GDPR)
EU's General Data Protection Regulation (GDPR)
 
PCI Compliance in the Cloud
PCI Compliance in the CloudPCI Compliance in the Cloud
PCI Compliance in the Cloud
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
 
Integrated Compliance
Integrated ComplianceIntegrated Compliance
Integrated Compliance
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
 
Log Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity MonitoringLog Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity Monitoring
 
Card Data Discovery and PCI DSS
Card Data Discovery and PCI DSSCard Data Discovery and PCI DSS
Card Data Discovery and PCI DSS
 
Continual Compliance Monitoring
Continual Compliance MonitoringContinual Compliance Monitoring
Continual Compliance Monitoring
 
PCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualPCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as Usual
 
PCI Compliance in the Cloud
PCI Compliance in the CloudPCI Compliance in the Cloud
PCI Compliance in the Cloud
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
 
PCI DSS 3.2
PCI DSS 3.2PCI DSS 3.2
PCI DSS 3.2
 
Integrated Compliance
Integrated ComplianceIntegrated Compliance
Integrated Compliance
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSS
 
PCI DSS Business as Usual
PCI DSS Business as UsualPCI DSS Business as Usual
PCI DSS Business as Usual
 

Recently uploaded

Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
Neo4j
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
Zilliz
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...
Zilliz
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
Data structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdfData structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdf
TIPNGVN2
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Neo4j
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
KAMESHS29
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Malak Abu Hammad
 
Building RAG with self-deployed Milvus vector database and Snowpark Container...
Building RAG with self-deployed Milvus vector database and Snowpark Container...Building RAG with self-deployed Milvus vector database and Snowpark Container...
Building RAG with self-deployed Milvus vector database and Snowpark Container...
Zilliz
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
Claudio Di Ciccio
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 

Recently uploaded (20)

Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
Data structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdfData structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdf
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
 
Building RAG with self-deployed Milvus vector database and Snowpark Container...
Building RAG with self-deployed Milvus vector database and Snowpark Container...Building RAG with self-deployed Milvus vector database and Snowpark Container...
Building RAG with self-deployed Milvus vector database and Snowpark Container...
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 

HealthCare Compliance - HIPAA & HITRUST

  • 1. HealthCare Compliance - HIPAA and HITRUST Kishor Vaswani, CEO – ControlCase
  • 2. Agenda • About HIPAA • HIPAA, HITECH and the Omni-bus Rule • Fines and Penalties • HIPAA Requirements • HITRUST Mission and Objective • Key Components of CSF Assurance Program • Demonstrating compliance to HIPAA through HITRUST • Key takeaways • Q&A 2/ 18
  • 3. What is HIPAA today? Health Insurance Portability & Accountability Act of 1996 & HIPAA Omnibus Rule: • Establishes administrative, physical and technical security and privacy standards • Applies to both healthcare providers and business associates (3rd parties) • Attributes responsibility for monitoring HIPAA compliance of business associates to healthcare providers • Assessment of compliance of business associates due 09/23/13 3/ 18
  • 4. HIPAA, HITECH and the Omni-bus Rule 4 / 18 HITECH • Specificallyextends security, privacy and breach notificationrequirements to Business Associates (BA) • Establishesmandatory penalties for ‘willful neglect’ • Imposes databreach notification requirementsfor unauthorizeduses and disclosures of "unsecured PHI.“ • Institutesthird party management and monitoring as ‘due diligences and ‘due care’ provisions • Establishesthe right for patientsto obtaintheir PHI in an electronic format (i.e. ePHI) Omni-bus Rule • Finalizationof interim rules outlined in the HITECH Act • Formalizes enforcement provisions for breaches • Expands definitionof BA to include subcontractorsof BA (BA of BA) • Clarifies that HHS will determine the actual maximum for penalties • Covered Entities (CE) and BA are liablefor the acts of BA and their subcontractors • Requires a on-going monitoring process for the organization’s security programs and processes.
  • 5. Fines/Penalties HIPAA Violation Minimum Penalty Maximum Penalty Individualdid not know (and by exercising reasonablediligence would not have known) thathe/she violated HIPAA $100 per violation, with an annual maximum of $25,000 for repeat violations (Note: maximum that can be imposed by State Attorneys General regardless of the type of violation) $50,000 per violation, with an annual maximum of $1.5 million HIPAA violation due to reasonable causeand not due to willful neglect $1,000 per violation, with an annual maximum of $100,000 for repeat violations $50,000 per violation, with an annual maximum of $1.5 million HIPAA violation due to willful neglect but violation is corrected within the required time period $10,000 per violation, with an annual maximum of $250,000 for repeat violations $50,000 per violation, with an annual maximum of $1.5 million HIPAA violation is due to willful neglect and is not corrected $50,000 per violation, with an annual maximum of $1.5 million $50,000 per violation, with an annual maximum of $1.5 million 5 / 18 Source: http://www.ama-assn.org//ama/pub/physician-resources/solutions-managing-your-practice/coding-billing-insurance/hipaahealth-insurance-portability- accountability-act/hipaa-violations-enforcement.page
  • 6. HIPAA Requirements – Privacy Rule Privacy Rule Main Points: • Requires appropriate safeguards to protect the privacy of personal health information • Sets limits and conditions on the uses and disclosures that maybe made of such information without patient authorization • Gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections • Requires compliance with the Security Rule For BAs • Requires breach notification to the Covered Entity • Requires either the individual or the Covered Entity access to PHI • Requires reporting the disclosure of PHI to the Secretary of HHS • Provide an accounting of disclosures. Source: http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html 6/ 18
  • 7. HIPAA Requirements – Security Rule Administrative Safeguards: Security Management Process (Risk Analysis(required), Risk Management (required), SanctionPolicy (required), InformationSystems Activity Reviews (required), Assigned Security Responsibility - Officers (required), Workforce Security - Employee Oversight (addressable), Information Access Management - Multiple Organizations(required) and ePHI Access (addressable); Security Awarenessand Training - Security Reminders(addressable), Protection Against Malware (addressable), LoginMonitoring (addressable); PasswordManagement (addressable), Security IncidentProcedures - Response andReporting (required),Contingency Plans (required); Evaluations (required); Business Associate Agreements (required) Source: http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html Technical Safeguards: Access Control- Unique User Identification(required), Emergency AccessProcedure (required), Automatic Logoff (addressable), EncryptionandDecryption (addressable); Audit Controls (required); Integrity - Mechanismto Authenticate ePHI (addressable); Authentication (required); Transmission Security - Integrity Controls (addressable), Encryption (addressable) Source: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/techsafeguards.pdf Physical Safeguards: Facility Access Controls - Contingency Operations (addressable), Facility Security Plan (addressable), Access Control and ValidationProcedures (addressable), MaintenanceRecords (addressable), WorkstationSecurity (required), Deviceand Media Controls - Disposal (required), MediaRe-Use (required), DataBackupandStorage (addressable) Source: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/physsafeguards.pdf 7/ 18
  • 8. HIPAA Requirements – Breach Notification 8/ 18 Definitionof Breach A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information. Unsecure PHI Transition and Storage: NIST Special Publication 800-111, NIST Special Publications 800-52, 800-77 or Federal Information Processing Standards (FIPS) 140-2 validated Destruction: Specifies physical and electronic PHI, for electronic, NIST Special Publication 800-88 Breach Notification Methods: By email or first class mail, to the media, posting the notice on the home page of its web site for at least 90 days, If BA, to the CE, within 60 days of determination NotificationThresholds > 500 records: notify HHS, to individuals and media, within 60 days < 500 records: notify HHS, annually consolidated listing Burden of Proof CEs/BAs required to prove that they have notified the affected parties within the time periods specified or face penalties
  • 9. HIPAA Requirements – BAs and subcontractors • Comply directly with the HIPAA Regulation • Business associates must identify, assess and monitor their supporting business associates (BAs of BAs) and provide regular updates to the respective CE • BAs must establish and define (contractually) security requirements, right to audit, incident reporting clauses with their service providers • BAs must implement an effective monitoring/assessment process based on the nature of the data exchanged with service providers • Be able to show due diligence/due care with respect to monitoring their supplier’s security compliance 9/ 18
  • 10. HITRUST Mission and Objectives Founded in 2007, HITRUST Alliance is a not-for-profit organization whose mission is to champion programs that safeguard sensitive information and manage information risk for organizations across all industries and throughout the third-party supply chain. Key focus: • Increase the protection ofprotected health and other sensitive information • Mitigate and aid in the management ofrisk associated with health information • Contain and manage costs associated with appropriatelyprotectingsensitiveinformation • Increase consumer and governments’confidence in the industry's abilityto safeguard health information • Address increasingconcerns associated with business associate and 3rd partyprivacy,securityand compliance • Work with federal and state governments and agencies and other oversight bodies to collaborate with industryon informationprotection • Facilitate sharingand collaborationrelatingto informationprotection amongstand between healthcare organizations ofvaryingtypes and sizes • Enhance and mature the knowledge and competency of health informationprotection professionals 10 / 18
  • 11. HITRUST Overview • Exists to ensure that information security becomes a core pillar of, rather than an obstacle to, the broad adoption of health information systems and exchanges. • Was born out of the belief that information security is critical to the broad adoption, utilization and confidence in health information systems, medical technologies and electronic exchanges of health information. • Is collaborating with healthcare, business, technology and information security leaders, all of whom are united by the belief that adopting a higher level of standard security practices will build greater trust in the electronic flow of information through the healthcare system. • Has established a certifiable framework that any and all organizations in the healthcare industry that create, access, store or exchange personal health and financial information can implement and be certified against. 11 / 18
  • 12. Strategic Objectives of HITRUST Establisha fundamentaland holistic change in the way the healthcareindustry manages informationsecurity risks: • Rationalizeregulationsand standardsinto a single overarching framework tailored for the industry • Deliver a prescriptive, scalable and certifiable process • Address inconsistentapproaches to certification,risk acceptance and adoptionof compensating controlsto eliminateambiguityin the process • Enableabilityto cost-effectively monitor compliance of organizational,business partner and governmentalrequirements • Provide support and facilitatesharing of ideas, feedback and experiences within the industry Establishtrust between organizationswithin the healthcareindustry that exchanged information is protected Develop an approach for the practical,efficient and consistent adoptionof security by the healthcareindustry 12 / 18
  • 13. Standardized tools and processes • Questionnaire › Focus assurance dollars to efficiently assess risk exposure › Measured approach based on risk and compliance › Ability to escalate assurance level based on risk •Report › Output that is consistently interpreted across the industry Cost effective and rigorous assurance • Multiple assurance options based on risk • Quality control processes to ensure consistent quality and output across HITRUST CSF Assessors • Streamlined and measurable process within MyCSF tool • End User support 13 / 18 Key Components of CSF Assurance Program
  • 14. HITRUST Report • Certified/validated report issued by HITRUST based on work of independent third-party assessors › Business/functional/organizational units that meet the associated criteria • Assessmentcontext and scope of systems included in assessment • Breakdown of CSF control areas with a comparison to industry › Includes maturity scores • Testing summary, corrective action plans, and completed questionnaire 14 / 18
  • 15. Challenges: Demonstrating Compliance to HIPAA and case for using HITRUST 15 / 18 • Risk Assessments – Not performed/not updated or documented – Limited scope: facilities, processing environment, personnel, software, personnel – Not aligned with controls or monitoring • Inventories (Asset Management) – Out of date/not documented hardware, software, interfaces, dataflow diagrams/process descriptions, removable media, teleworkers (remote), BAs and subcontractors • No BA/Vendor Management program • Policies, procedures and standards (Governance) • Hardening and patch management – None or not implemented – Not monitored/No follow-up – End-of-life • Vulnerability Management – Inconsistent/incomplete internal vulnerability and penetration testing for networks and applications – Remediation gaps – No Internet content restrictions
  • 16. Contd… 16 / 18 • System Logging and Monitoring – Not implemented/inconsistent – Not retainedor analyzed – Lack of oversight and approval • None or inconsistent encryption of data in transmission or storage • Media management and tracking gaps • Untestedincident and breach response processes for PHI related disclosures • User Provisioning – Excessive privileges/accesses – No formal documentationof rationale – Lack of oversight and approval • Training and awareness – Not HIPAA oriented – No refresh – Lack of evidence of attendance • Inadequate business continuity and disaster recover • Failure to monitor external maintenance personnel
  • 17. Why Choose ControlCase? • Global Reach › Serving more than 400 clients in 40 countries and rapidly growing • Certified Resources › HITRUST Assessor › PCI DSS Qualified Security Assessor(QSA) › SOC1. SOC2 › QSA for Point-to-Point Encryption (QSA P2PE) › Certified ASV vendor › ISO 27001 Assessor › HIPAA Audits 17 / 18
  • 18. To Learn More … 18/ 18 Visit www.controlcase.com Email us at contact@controlcase.com
  • 19. Q & A