The majority of changes to HIPAA have been introduced and strengthened by the recent passage of the HITECH and Omni-bus rules.
ControlCase HIPAA Compliance as a Service (CaaS)
is an Integration of services, software and compliance management and reporting for HIPAA, PCI, ISO 27001/2, SSAE16 and SAP through our cloud-based GRC.
The Health Insurance Portability and Accountability Act Kartheek Kein
HIPAA is the acronym of the Health Insurance Portability and Accountability Act of 1996. The main purpose of this federal statute was to help consumers maintain their insurance coverage, but it also includes a separate set of provisions called Administrative Simplification.
The Health Insurance Portability and Accountability Act Kartheek Kein
HIPAA is the acronym of the Health Insurance Portability and Accountability Act of 1996. The main purpose of this federal statute was to help consumers maintain their insurance coverage, but it also includes a separate set of provisions called Administrative Simplification.
The Health Insurance Portability and Accountability Act (HIPAA) was created primarily to modernize the flow of healthcare information, stipulate how Personally Identifiable Information maintained by the healthcare and healthcare insurance industries should be protected from fraud and theft, and address limitations on healthcare insurance coverage – such as portability and the coverage of individuals with pre-existing conditions.
https://www.hipaajournal.com/hipaa-training-requirements/
Health Insurance Portability and Accountability Act (HIPPA) - KloudlearnKloudLearn
HIPPA or Health Insurance Portability and Accountability Act is a United States Legislation that offers data privacy and security provisions for securing confidential and sensitive medical information.
This slideshow provides a brief overview of the basics of HIPAA. Viewers receive a walkthrough of its' core fundamentals. This represents Part 1 of 3 in a series that educate primary care providers on achieving HIPAA compliance.
While the Health Insurance Portability and Accountability Act (HIPAA) is best known for its multitude of requirements that govern the way health care providers can use, disclose, and safeguard protected health information (PHI), its reach goes far beyond that to health plans and business associates that only handle PHI on a limited basis. HIPAA implementation in these environments creates unique challenges—for example, which provisions actually need to be addressed—but with 2016 marking an all-time high for HIPAA enforcement cases, it may be more important now than ever to address HIPAA compliance.
Have you ever felt confused by HIPAA’s complex regulations? Even if you are well versed in the laws, there are still many headache inducing intricacies. In this webinar, an experienced HIPAA auditor will highlight the basics of HIPAA, its regulations, what you need to know about it, and how it may affect you, especially with a new wave of HHS audits looming. The webinar is designed for HIPAA novices and experts alike, and all questions are encouraged in this interactive session.
PowerPoint presentation from the Human Subjects Research Committee at the University of North Alabama,
in Florence, AL, concerning HIPAA policies and procedures.
Developers building healthcare applications for mobile devices, wearables and the desktop need to understand HIPAA requirements in order to build apps that are in compliance. This deck gives application developers an overview of the HIPAA rules and what it means for their software development.
The Health Insurance Portability and Accountability Act (HIPAA) was created primarily to modernize the flow of healthcare information, stipulate how Personally Identifiable Information maintained by the healthcare and healthcare insurance industries should be protected from fraud and theft, and address limitations on healthcare insurance coverage – such as portability and the coverage of individuals with pre-existing conditions.
https://www.hipaajournal.com/hipaa-training-requirements/
Health Insurance Portability and Accountability Act (HIPPA) - KloudlearnKloudLearn
HIPPA or Health Insurance Portability and Accountability Act is a United States Legislation that offers data privacy and security provisions for securing confidential and sensitive medical information.
This slideshow provides a brief overview of the basics of HIPAA. Viewers receive a walkthrough of its' core fundamentals. This represents Part 1 of 3 in a series that educate primary care providers on achieving HIPAA compliance.
While the Health Insurance Portability and Accountability Act (HIPAA) is best known for its multitude of requirements that govern the way health care providers can use, disclose, and safeguard protected health information (PHI), its reach goes far beyond that to health plans and business associates that only handle PHI on a limited basis. HIPAA implementation in these environments creates unique challenges—for example, which provisions actually need to be addressed—but with 2016 marking an all-time high for HIPAA enforcement cases, it may be more important now than ever to address HIPAA compliance.
Have you ever felt confused by HIPAA’s complex regulations? Even if you are well versed in the laws, there are still many headache inducing intricacies. In this webinar, an experienced HIPAA auditor will highlight the basics of HIPAA, its regulations, what you need to know about it, and how it may affect you, especially with a new wave of HHS audits looming. The webinar is designed for HIPAA novices and experts alike, and all questions are encouraged in this interactive session.
PowerPoint presentation from the Human Subjects Research Committee at the University of North Alabama,
in Florence, AL, concerning HIPAA policies and procedures.
Developers building healthcare applications for mobile devices, wearables and the desktop need to understand HIPAA requirements in order to build apps that are in compliance. This deck gives application developers an overview of the HIPAA rules and what it means for their software development.
Log monitoring and file integrity monitoringControlCase
Log Monitoring and File Integrity Monitoring
ControlCase is a leading provider of IT Governance, Risk Management and Compliance (GRC) solutions to institutions worldwide. Our solutions consists of enterprise software solutions, hosted solutions and managed services offerings that provide a customizable blend of services tailored to the unique needs of our clients.
ControlCase Security Event Logging and Monitoring Services can be performed to support an organization’s overall security management program and/or demonstrate compliance with any number of industry standards and guidelines such as PCI DSS, HIPAA and SOX.
Please contact ksimon@controlcase.com for more information.
It is now more important than ever to ensure your breach security is on par or better than the rest of the industry. Review these slides to ensure you understand the regulations surrounding patient privacy and how to prevent future breaches.
This slideshow discusses the following:
- About the cloud
- About PCI DSS
- PCI DSS in the cloud
- How to keep sensitive data secure as you move to the cloud
- Q&A
ControlCase Data Discovery (CDD) addresses the risk of having encrypted, unknown, or otherwise prohibited cardholder data in your operational environment. It is one of the first comprehensive scanners to not only search for credit card data in file systems, but also in leading commercial and open source databases.
HIPAA & HITECH Made Easy for Behavioral Health Professionals -- Marlene MaheuMarlene Maheu
HIPAA & HITECH Made Easy for Behavioral Health Professionals
1-Hour Webinar
At the TeleMental Health institute, we have the option for you to earn CEUs while you learn thee updates of HIPAA and HITECH:
For 1 CEU for mental health professionals and nurses, go to this page: for details: http://telehealth.org/hipaa-hitech
Join the innovative group of over 1,200 mental health professionals at the TeleMental Health Institute: www.telehealth.org
Log Monitoring and File Integrity Monitoring for PCI DSS, EI3PA and ISO 27001ControlCase
- What is Log Management and FIM
- PCI DSS, EI3PA, ISO 27001 requirements
- Log Management and regulation requirements/ mapping
- File Integrity Monitoring and regulation requirements/ mapping
- Challenges
ControlCase covers the following: - About the cloud - About PCI DSS - PCI DSS in the cloud - How to keep sensitive data secure as you move to the cloud - Q&A
ControlCases discusses the following:
– Healthcare compliance in general
– What is HIPAA
– What is HITRUST
– How do they relate?
– Advantages of being HITRUST certified
ControlCase will discusses the following:
- Healthcare compliance in general
- What is HIPAA
- What is HITRUST
- How do they relate?
- Advantages of being HITRUST certified
What Covered Entities Need to Know about OCR HIPAA AuditsIatric Systems
Learn how to be better prepared to comply with today's patient privacy rules and regulations.
Hosted by HealthITSecurity.com, you'll get insight directly from HIPAA officer Iliana L. Peters, J.D., LL.M. As senior advisor for HIPAA Compliance and Enforcement, she is today's leading source for understanding HIPAA requirements.
Ms. Peters presents OCR’s 2017 to 2018 goals and objectives and tells you how you can:
-Uncover the patient privacy risks and vulnerabilities in your healthcare organization
-Determine where you can use technology to assist in and encourage consistent compliance
-Manage risk when vendors have access to your patient data
Healthcare Compliance: HIPAA and HITRUSTControlCase
ControlCase discusses the following:
•Healthcare compliance in general
•What is HIPAA
•What is HITRUST
•How do they relate?
•Advantages of being HITRUST certified
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT SecurityRedspin, Inc.
Slides from our 1/20/2011 webinar - HIPAA & HITECH Requirements, Compliance, Meaningful Use, and IT security assessments...we know it’s confusing!
Let’s focus on what you need to know!
Business Associates: How to become HIPAA compliant, increase revenue, and gai...Compliancy Group
Since Omnibus started in 2013 Business Associates (BA) have scrambled to understand and adhere to the Federal Regulation. Though Omnibus alone was a reason for Business Associates to become compliant many realized that compliance could help differentiate their offerings. Helping the company retain and acquire new clients. Compliance is helping many BA’s open new revenue streams while increasing brand stickiness.
With the plethora of non-compliant Business Associates, Covered Entities are realizing that the best option for them is to choose a BA that is compliant to reduce their risk.
Protecting ePHI: What Providers and Business Associates Need to KnowNetwork 1 Consulting
HIPAA defined 18 Protected Health Information (PHI) identifyers. Electronic PHI (ePHI) is the computer version of PHI. What are the risks of not protecting ePHI? And what are the best practices and tips for protecting ePHI.
HIPAA Security Trends and Future ExpectationsPYA, P.C.
PYA Principal Barry Mathis, a former CIO, CTO, senior IT audit manager, and IT risk management consultant, presented at teh TSCPA Health Care Conference. His presentation, “HIPAA Security Trends and Future Expectations” will focuses on:
- Current HIPAA enforcement activities and future developments.
- Case studies that highlight the changing HIPAA landscape.
- Cyber threats that impact covered entities and business associates.
Get information on the HIPAA Omnibus rule and how the revised regulations will impact not only healthcare organization but also covered entities and other IT providers - OConnor Davies - NYC CPA Firm.
Dental Compliance for Dentists and Business Associatesgppcpa
This presentation will discuss covered entities, protected health information (PHI) as it relates to dental practices and business associates of those practices.It will update you on major legislation relating to patient privacy laws and explain why PHI Information is important and the consequences for non-compliance with state and federal laws.
OCR is increasing its audits of the HIPAA compliance of health care providers. An OCR audit that finds noncompliance may lead to a significant fine or financial settlement. Adam Greene, partner at Davis Wright Tremaine and past regulator at OCR, will review the latest information about the OCR audit program, including OCR’s focus on information security risk analysis and ensuring that breach notification policies and procedures are up-to-date consistent with recent regulatory changes. Learn about recent changes to HIPAA rules, the focus of upcoming audits, the importance of a good breach response program to reduce potential liability, and how best to prepare your organization. In addition, you’ll hear how to prepare for and respond to the inevitable data breach.
To View the Webinar Recording, click here: https://www2.idexpertscorp.com/resources/single/ocr-hipaa-audits...will-you-be-prepared/r-general
Similar to Health Insurance Portability and Accountability Act (HIPAA) Compliance (20)
What problems are we exist between IT Security and Cyber Insurance?
Correlation between Cyber Maturity and Cyber Insurance
Why is this Urgent?
What You can Do Today to Reduce Risk?
2022 Webinar - ISO 27001 Certification.pdfControlCase
ControlCase Introduction
What is ISO 27001?
What is ISO 27002?
What is ISO 27701, ISO 27017, & ISO 27018?
What is an ISMS?
What is ISO 27001 Certification?
Who Needs ISO 27001?
What is Covered in ISO 27001?
How Many Controls in ISO 27001?
What is the ISO 27001 Certification Process?
How Often Do You Need ISO 27001 Certification?
What are the Challenges to ISO 27001 Compliance?
Why ControlCase?
Hosted by ControlCase and the PCI Security Standards Council, this 45-minute webinar will cover:
History of PCI DSS (including current version 3.2)
PCI DSS v4.0 High-Level Changes
PCI DSS v4.0 Timeline
Deep Dive into notable changes:
Promote Security as a Continuous Process
Increased Flexibility and Customized Approach
Increased Alignment between PCI ROC and PCI SAQ
Keep up with the security needs of the Payment Industry and landscape (such as MFA/phishing, etc.)
ControlCase Methodology for v4.0
Q&A
In this deck ControlCase will discuss the following:
What is CMMC 2.0?
Who does CMMC 2.0 apply to?
What is the accreditation body (CMMC-AB)?
What is a CMMC Third Party Organization (C3PAO)?
What does CMMC mean for Cybersecurity?
What are the CMMC certification levels?
How often is CMMC needed?
CMMC and NIST
What is the CMMC Assessment process?
ControlCase CSO, Kishor Vaswani, and HITRUST VP of Adoption, Mike Parisi take a deep dive into HITRUST.
This webinar covers the basics of HITRUST and introduces the new updates including; HITRUST Basic Assessment, HITRUST i1 Validated Assessment and HITRUST R2 Validated Assessment.
The webinar agenda includes the following:
- What is HITRUST
- What is HITRUST CSF?
- What are the HITRUST Implementation levels?
- What are the HITRUST Domains?
- What is a HITRUST Report?
- What is the HITRUST bC Assessment
- What is the HITRUST I1 Assessment?
- What is the HITRUST r2 Assessment?
- What can go wrong with a HITRUST Assessment?
- ControlCase methodology for HITRUST Compliance
ControlCase covers the following:
- What is CMMC?
- Who does CMMC apply to?
What is the accreditation body (CMMC-AB)?
- What is a CMMC Third Party Organization (C3PAO)?
- What does CMMC mean for Cybersecurity?
- What are the CMMC certification levels?
- How often is CMMC needed?
- CMMC and NIST
- What is the CMMC Assessment process?
Click Here to visit the FedRAMP blog - https://www.controlcase.com/what-is-fedramp/?utm_source=webinar&utm_campaign=webinar
Click Here for FedRAMP Compliance Checklist - https://www.controlcase.com/fedramp-checklist-lp/?utm_source=webinar&utm_campaign=webinar
ControlCase covers the following:
- What is FedRAMP?
- What is FedRAMP Marketplace?
- Who does FedRAMP apply to?
- How hard is it to get FedRAMP certified?
- How long does the FedRAMP process take?
- How to get FedRAMP certified?
- ControlCase methodology for FedRAMP compliance
ControlCase covers the following:
- What does SOC stand for?
- What is SOC 2 compliance?
- What is SOC 2 certification?
- What is a SOC 2 report?
- Who can perform a SOC 2 audit?
- How do managed service providers comply with SOC 2
- How to lower cost of SOC 2 audit?
- ControlCase methodology for SOC 2 compliance
ControlCase covers the following:
•What is PCI DSS?
•What does PCI DSS stand for?
•What is the purpose of PCI DSS?
•Who does PCI DSS apply to?
•What are the 12 requirements of PCI DSS?
•What are the 6 Principles of PCI DSS?
•What are the potential liabilities for not complying with PCI DSS?
•How can we achieve compliance in a cost effective manner?
OneAudit™ - Assess Once, Certify to ManyControlCase
ControlCase covers the following:
•About PCI DSS, ISO 27001, NERC, HIPAA, and FISMA
•Best Practices and Cloud Implications for Comprehensive Compliance within IT Standards/Regulations
•Challenges in the Comprehensive Compliance Space
CHAPTER 1 SEMESTER V - ROLE OF PEADIATRIC NURSE.pdfSachin Sharma
Pediatric nurses play a vital role in the health and well-being of children. Their responsibilities are wide-ranging, and their objectives can be categorized into several key areas:
1. Direct Patient Care:
Objective: Provide comprehensive and compassionate care to infants, children, and adolescents in various healthcare settings (hospitals, clinics, etc.).
This includes tasks like:
Monitoring vital signs and physical condition.
Administering medications and treatments.
Performing procedures as directed by doctors.
Assisting with daily living activities (bathing, feeding).
Providing emotional support and pain management.
2. Health Promotion and Education:
Objective: Promote healthy behaviors and educate children, families, and communities about preventive healthcare.
This includes tasks like:
Administering vaccinations.
Providing education on nutrition, hygiene, and development.
Offering breastfeeding and childbirth support.
Counseling families on safety and injury prevention.
3. Collaboration and Advocacy:
Objective: Collaborate effectively with doctors, social workers, therapists, and other healthcare professionals to ensure coordinated care for children.
Objective: Advocate for the rights and best interests of their patients, especially when children cannot speak for themselves.
This includes tasks like:
Communicating effectively with healthcare teams.
Identifying and addressing potential risks to child welfare.
Educating families about their child's condition and treatment options.
4. Professional Development and Research:
Objective: Stay up-to-date on the latest advancements in pediatric healthcare through continuing education and research.
Objective: Contribute to improving the quality of care for children by participating in research initiatives.
This includes tasks like:
Attending workshops and conferences on pediatric nursing.
Participating in clinical trials related to child health.
Implementing evidence-based practices into their daily routines.
By fulfilling these objectives, pediatric nurses play a crucial role in ensuring the optimal health and well-being of children throughout all stages of their development.
Defecation
Normal defecation begins with movement in the left colon, moving stool toward the anus. When stool reaches the rectum, the distention causes relaxation of the internal sphincter and an awareness of the need to defecate. At the time of defecation, the external sphincter relaxes, and abdominal muscles contract, increasing intrarectal pressure and forcing the stool out
The Valsalva maneuver exerts pressure to expel faeces through a voluntary contraction of the abdominal muscles while maintaining forced expiration against a closed airway. Patients with cardiovascular disease, glaucoma, increased intracranial pressure, or a new surgical wound are at greater risk for cardiac dysrhythmias and elevated blood pressure with the Valsalva maneuver and need to avoid straining to pass the stool.
Normal defecation is painless, resulting in passage of soft, formed stool
CONSTIPATION
Constipation is a symptom, not a disease. Improper diet, reduced fluid intake, lack of exercise, and certain medications can cause constipation. For example, patients receiving opiates for pain after surgery often require a stool softener or laxative to prevent constipation. The signs of constipation include infrequent bowel movements (less than every 3 days), difficulty passing stools, excessive straining, inability to defecate at will, and hard feaces
IMPACTION
Fecal impaction results from unrelieved constipation. It is a collection of hardened feces wedged in the rectum that a person cannot expel. In cases of severe impaction the mass extends up into the sigmoid colon.
DIARRHEA
Diarrhea is an increase in the number of stools and the passage of liquid, unformed feces. It is associated with disorders affecting digestion, absorption, and secretion in the GI tract. Intestinal contents pass through the small and large intestine too quickly to allow for the usual absorption of fluid and nutrients. Irritation within the colon results in increased mucus secretion. As a result, feces become watery, and the patient is unable to control the urge to defecate. Normally an anal bag is safe and effective in long-term treatment of patients with fecal incontinence at home, in hospice, or in the hospital. Fecal incontinence is expensive and a potentially dangerous condition in terms of contamination and risk of skin ulceration
HEMORRHOIDS
Hemorrhoids are dilated, engorged veins in the lining of the rectum. They are either external or internal.
FLATULENCE
As gas accumulates in the lumen of the intestines, the bowel wall stretches and distends (flatulence). It is a common cause of abdominal fullness, pain, and cramping. Normally intestinal gas escapes through the mouth (belching) or the anus (passing of flatus)
FECAL INCONTINENCE
Fecal incontinence is the inability to control passage of feces and gas from the anus. Incontinence harms a patient’s body image
PREPARATION AND GIVING OF LAXATIVESACCORDING TO POTTER AND PERRY,
An enema is the instillation of a solution into the rectum and sig
CRISPR-Cas9, a revolutionary gene-editing tool, holds immense potential to reshape medicine, agriculture, and our understanding of life. But like any powerful tool, it comes with ethical considerations.
Unveiling CRISPR: This naturally occurring bacterial defense system (crRNA & Cas9 protein) fights viruses. Scientists repurposed it for precise gene editing (correction, deletion, insertion) by targeting specific DNA sequences.
The Promise: CRISPR offers exciting possibilities:
Gene Therapy: Correcting genetic diseases like cystic fibrosis.
Agriculture: Engineering crops resistant to pests and harsh environments.
Research: Studying gene function to unlock new knowledge.
The Peril: Ethical concerns demand attention:
Off-target Effects: Unintended DNA edits can have unforeseen consequences.
Eugenics: Misusing CRISPR for designer babies raises social and ethical questions.
Equity: High costs could limit access to this potentially life-saving technology.
The Path Forward: Responsible development is crucial:
International Collaboration: Clear guidelines are needed for research and human trials.
Public Education: Open discussions ensure informed decisions about CRISPR.
Prioritize Safety and Ethics: Safety and ethical principles must be paramount.
CRISPR offers a powerful tool for a better future, but responsible development and addressing ethical concerns are essential. By prioritizing safety, fostering open dialogue, and ensuring equitable access, we can harness CRISPR's power for the benefit of all. (2998 characters)
The dimensions of healthcare quality refer to various attributes or aspects that define the standard of healthcare services. These dimensions are used to evaluate, measure, and improve the quality of care provided to patients. A comprehensive understanding of these dimensions ensures that healthcare systems can address various aspects of patient care effectively and holistically. Dimensions of Healthcare Quality and Performance of care include the following; Appropriateness, Availability, Competence, Continuity, Effectiveness, Efficiency, Efficacy, Prevention, Respect and Care, Safety as well as Timeliness.
Telehealth Psychology Building Trust with Clients.pptxThe Harvest Clinic
Telehealth psychology is a digital approach that offers psychological services and mental health care to clients remotely, using technologies like video conferencing, phone calls, text messaging, and mobile apps for communication.
2. Agenda
• Introduction
• What is HIPAA today?
• How does Omnibus and HITECH tie into and mean in
the context of HIPAA
• High level requirements of the HIPAA Privacy,
Security and Breach Notification Rules for covered
entities and business associates
• Lessons Learned - Demonstrating Compliance
• Maintaining effective compliance with CaaS
• Q&A
2/23
3. Introduction
• Global Reach
› Serving more than 400 clients in 40 countries and rapidly growing
• Certified Resources
› Shared Assessment/BITS FISAP Assessor
› PCI DSS Qualified Security Assessor (QSA)
› QSA for Point-to-Point Encryption (QSA P2PE)
› Certified ASV vendor
› Certified ISO 27001 Assessor
› EI3PA Assessor
› SSAE16, SOC1, SOC2, SOC3 Audits
› HITRUST and HIPAA
3/23
4. What is HIPAA today?
Health Insurance Portability & Accountability Act
of 1996 & HIPAA Omnibus Rule:
• Establishes administrative, physical and technical
security and privacy standards
• Applies to both healthcare providers and business
associates (3rd parties)
• Attributes responsibility for monitoring HIPAA
compliance of business associates to healthcare
providers
• Assessment of compliance of business associates
due 09/23/13
4/23
5. HIPAA, HITECH and the Omni-bus Rule
5 / 23
HITECH
• Specifically extends security, privacy
and breach notification requirements
to Business Associates (BA)
• Establishes mandatory penalties for
‘willful neglect’
• Imposes data breach notification
requirements for unauthorized uses
and disclosures of "unsecured PHI.“
• Institutes third party management
and monitoring as ‘due diligences
and ‘due care’ provisions
• Establishes the right for patients to
obtain their PHI in an electronic
format (i.e. ePHI)
Omni-bus Rule
• Finalization of interim rules outlined
in the HITECH act
• Formalizes enforcement provisions
for breaches
• Expands definition of BA to include
subcontractors of BA (BA of BA)
• Clarifies that HHS will determine the
actual maximum for penalties
• Covered Entities (CE) and BA are
liable for the acts of BA and their
subcontractors
• Requires a on-going monitoring
process for the organization’s
security programs and processes.
6. HIPAA Enforcement
• HHS’ Office of Civil Rights (OCR) is responsible for enforcing
the Privacy and Security Rule
› Performing investigations of complaints (95,588 reported since 2003; 22,497
investigated by OCR)
› Random sampling of organizations, (115 performed in 2012)
› Assessment of risk/exposure based on transaction volumes (CEs and BAs)
• OCR resolution options
› Voluntary compliance,
› Corrective action, and/or
› Resolution agreement
• OCR referrals to Department of Justice (DOJ)
› Cases involving knowingly disclosing or obtaining PHI
› 526 cases have been referred to date
• HHS determines penalties (Federal)
› Additional penalties levied by individual States Attorneys’ for affected residents
› Funds approximately half of OCR audit operations cost from fines
6 /23
7. Fines/Penalties
HIPAA Violation Minimum Penalty Maximum Penalty
Individual did not know (and by
exercising reasonable diligence
would not have known) that
he/she violated HIPAA
$100 per violation, with an annual
maximum of $25,000 for repeat
violations (Note: maximum that
can be imposed by State Attorneys
General regardless of the type of
violation)
$50,000 per violation, with an
annual maximum of $1.5 million
HIPAA violation due to reasonable
cause and not due to willful
neglect
$1,000 per violation, with an
annual maximum of $100,000 for
repeat violations
$50,000 per violation, with an
annual maximum of $1.5 million
HIPAA violation due to willful
neglect but violation is corrected
within the required time period
$10,000 per violation, with an
annual maximum of $250,000 for
repeat violations
$50,000 per violation, with an
annual maximum of $1.5 million
HIPAA violation is due to willful
neglect and is not corrected
$50,000 per violation, with an
annual maximum of $1.5 million
$50,000 per violation, with an
annual maximum of $1.5 million
7 / 23
Source:
http://www.ama-assn.org//ama/pub/physician-resources/solutions-managing-your-practice/coding-billing-
insurance/hipaahealth-insurance-portability-accountability-act/hipaa-violations-enforcement.page
8. Enforcement Results
Organization
Penalty
(Federal)
Nature of Violation
CIGNET $4,300,000 Online database application error.
Alaska Department of Health and Human
Services
$1,700,000
Unencrypted USB hard drive stolen, poor policies and risk
analysis.
WellPoint $1,700,000
Did not have technical safeguards in place to verify the
person/entity seeking access to PHI in the database. Failed
to conduct a tech eval in response to software upgrade.
Blue Cross Blue Shield of Tennessee $1,500,000 57 unencrypted hard drives stolen.
Massachusetts Eye and Ear Infirmary and
Massachusetts Eye and Ear Associates
$1,500,000 Unencrypted laptop stolen, poor risk analysis, policies.
Affinity Health Plan $1,215,780 Returned photocopiers without erasing the hard drives.
South Shore Hospital $750,000 Backup tapes went missing on the way to contractor.
Idaho State University $400,000 Breach of unsecured ePHI.
Shasta Regional Medical Center $275,000
Inadequate safeguarding of PHI from impermissible uses
and disclosures.
Phoenix Cardiac Surgery $100,000 Internet calendar, poor policies, training.
The Hospice of Northern Idaho $50,000
Breach of unsecured ePHI. Unencrypted laptop stolen, no
risk analysis.
8 / 23
Source: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/index.html
9. Looking Forward….
• Leon Rodriguez (HHS OCR Director)
› "I think all these (17) cases really powerfully articulate those expectations and
the fact that we will be holding people accountable,"
› “…those numbers are expected to go up, especially when the official audit
program goes live this year. ”
› When asked regarding root cause or biggest misstep, Rodriguez pointed to risk
analysis inadequacies, for business associates and covered entities alike. It’s
the "failure to perform a comprehensive, thorough risk analysis and then to
apply the results of that analysis,"
• Onshore/Offshore BAs and their BAs
› Enforcement actions on BAs with onshore business units is clear cut
› For BAs with only offshore business units; enforcement actions levied through
CEs.
9 / 23
10. HIPAA Requirements – Privacy Rule
Privacy Rule Main Points:
• Requires appropriate safeguards to protect the privacy of personal health
information
• Sets limits and conditions on the uses and disclosures that may be made of
such information without patient authorization
• Gives patients rights over their health information, including rights to
examine and obtain a copy of their health records, and to request
corrections
• Requires compliance with the Security Rule
For BAs
• Requires breach notification to the Covered Entity
• Requires either the individual or the Covered Entity access to PHI
• Requires reporting the disclosure of PHI to the Secretary of HHS
• Provide an accounting of disclosures.
Source: http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html
10/23
11. HIPAA Requirements – Security Rule
Administrative Safeguards:
Security Management Process (Risk Analysis (required), Risk Management (required), Sanction Policy (required),
Information Systems Activity Reviews (required), Assigned Security Responsibility - Officers (required), Workforce
Security - Employee Oversight (addressable), Information Access Management - Multiple Organizations (required)
and ePHI Access (addressable); Security Awareness and Training - Security Reminders (addressable), Protection
Against Malware (addressable), Login Monitoring (addressable); Password Management (addressable), Security
Incident Procedures - Response and Reporting (required), Contingency Plans (required); Evaluations (required);
Business Associate Agreements (required)
Source: http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html
Technical Safeguards:
Access Control - Unique User Identification (required), Emergency Access Procedure (required), Automatic Logoff
(addressable), Encryption and Decryption (addressable); Audit Controls (required); Integrity - Mechanism to
Authenticate ePHI (addressable); Authentication (required); Transmission Security - Integrity Controls
(addressable), Encryption (addressable)
Source: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/techsafeguards.pdf
Physical Safeguards:
Facility Access Controls - Contingency Operations (addressable), Facility Security Plan (addressable), Access
Control and Validation Procedures (addressable), Maintenance Records (addressable), Workstation Security
(required), Device and Media Controls - Disposal (required), Media Re-Use (required), Data Backup and Storage
(addressable)
Source: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/physsafeguards.pdf
11/23
12. HIPAA Requirements – Breach Notification
Source: http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html
12/23
Definition of Breach
A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the
security or privacy of the protected health information.
Unsecure PHI
Transition and Storage: NIST Special Publication 800-111, NIST Special Publications 800-52, 800-77 or
Federal Information Processing Standards (FIPS) 140-2 validated
Destruction: Specifies physical and electronic PHI, for electronic, NIST Special Publication 800-88
Breach Notification
Methods: By email or first class mail, to the media, posting the notice on the home page of its web site
for at least 90 days, If BA, to the CE, within 60 days of determination
Notification Thresholds
> 500 records: notify HHS, to individuals and media, within 60 days
< 500 records: notify HHS, annually consolidated listing
Burden of Proof
CEs/BAs required to prove that they have notified the affected parties within the time periods specified
or face penalties
13. HIPAA Requirements – BAs and subcontractors
• Comply directly with the HIPAA Regulation
• Business associates must identify, assess and monitor their
supporting business associates (BAs of BAs) and provide
regular updates to the respective CE
• BAs must establish and define (contractually) security
requirements, right to audit, incident reporting clauses with
their service providers
• BAs must implement an effective monitoring/assessment
process based on the nature of the data exchanged with
service providers
• Be able to show due diligence/due care with respect to
monitoring their supplier’s security compliance
13/23
14. Lessons Learned - Demonstrating Compliance -
14 / 23
• Risk Assessments
– Not performed/not updated or
documented
– Limited scope: facilities,
processing environment,
personnel, software,
– Not aligned with controls or
monitoring
• Inventories (Asset Management)
– Out of date/not documented
hardware, software, interfaces,
dataflow diagrams/process
descriptions, removable media,
teleworkers (remote), BAs and
subcontractors
• No BA/Vendor Management
program
• Policies, procedures and
standards (Governance)
• Hardening and patch
management
– None or not implemented
– Not monitored/No follow-up
– End-of-life
• Vulnerability Management
– Inconsistent/incomplete
internal vulnerability and
penetration testing for
networks and applications
– Remediation gaps
– No Internet content restrictions
15. Lessons Learned (continued)
15 / 23
• System Logging and
Monitoring
– Not implemented/inconsistent
– Not retained or analyzed
– Lack of oversight and approval
• None or inconsistent
encryption of data in
transmission or storage
• Media management and
tracking gaps
• Untested incident and
breach response processes
for PHI related disclosures
• User Provisioning
– Excessive privileges/accesses
– No formal documentation of
rationale
– Lack of oversight and approval
• Training and awareness
– Not HIPAA oriented
– No refresh
– Lack of evidence of attendance
• Inadequate business
continuity and disaster
recover
• Failure to monitor external
maintenance personnel
16. Root Causes
16/23
• Operational Conflicts of Interest
– Maintaining versus securing
– Capacity and focus
– Lack of resources for monitoring and maintaining compliance after achieving initial
compliance
• No assignment of accountability
• Personnel turnover
• Lack of expertise and objectivity
• Process disconnects between HR, change management, IT and
Systems acquisition
• Lack of resources for monitoring and maintaining compliance
after achieving initial compliance
17. The Path Forward and Beyond
17/23
• Risk Assessments – complete, detailed, controls aligned to mitigate risk, and a
program to monitor the effectiveness of those controls
• Inventories (Asset Management) – documented, covering all hardware,
software, interfaces (internally and externally), process documentation (DFD) with
narratives, removable media (with method of encryption), teleworkers and BAs and
subcontractors (including what PHI is shared and how is it protected)
• BA Management Program – identifies in-scope and out-of-scope
organizations, the data that is shared, an assessment of risk, the method to monitor
and track HIPAA compliance, results of monitoring.
• Policies, procedures and standards (Governance) – complete to include
Sanction/Corrective Action policies and evidence that it is implemented
• Hardening and patch management – covers all assets that process PHI;
tied to asset management and verified by internal/external vulnerability scans
• Vulnerability Management – covers all assets that process PHI, includes
remediation and retesting to verify remediation effectiveness.
• System Logging and Monitoring – covers all systems, databases and
applications that process, transmit and store PHI
18. The Path Forward and Beyond
18/23
• Data Encryption – in transit and at rest, tied to DFD and process narratives
• Media Management and Tracking – covers removable encrypted media,
tied to DFD and process narratives
• Incident and Breach Response Processes – defined and tested to
address breach and disclosure of PHI, understanding of who is impacted, and who
needs to be notified
• User Provisioning – to specific system/applications, two manager review
(business and IT Security)
• Training and awareness – covers new hire with annual retraining,
maintaining a roster of completion and non-compliance.
• Business Continuity and Disaster Recover – must show that PHI
would be available after a disaster
• Personnel Monitoring – cover employees, contractors and third parties that
have access to PHI (physical and electronic)
19. • Compliance as a Service (CaaS)
› Integration of services, software and compliance management
and reporting for HIPAA, PCI, ISO 27001/2, SSAE16 and SAP
through our cloud-based GRC
› Allows clients to easily assess, monitor and maintain compliance
not only with HIPAA, but across multiple standards
› Services Include
• Gap and Risk assessments (initial and on-going)
• Automated data discovery for the 18 PHI identifiers
• Policy and procedures
• Training and awareness; records
• External and internal vulnerability assessments for networks and
applications
• External and internal penetration tests for networks and applications
• BA/Supplier identification, management and assessments
• Logging and Monitoring
How ControlCase Supports CEs and BAs
19/23
Good day,
Welcome to the ControlCase (HIPAA) Compliance Webinar.
My name is Hugh Kominars, I am a Vice President and lead ControlCase’s Healthcare Compliance Services. I have worked within the Healthcare compliance and risk management space since 2004.
I would like to cover some housekeeping topics before we start:
first, can you hear me clearly?
Regarding questions, feel free to type your question in the ‘question’ box on your right or send me an email; my contact information is provided at the end of the presentation
Also – at the end of this webinar, you will be sent a link where you can register and listen/observe the recorded webinar.
The topics that we will be covering today include: A current update on HIPAA, the impact of HITECH and Omni-bus rule to CE and BAs, a high-level overview on the privacy, security and breach notification rules, review lessons learned and being able to demonstrate compliance before, during and after an investigation/audit, and ControlCase’s CaaS for HIPAA solution.
Before diving in…. I would like to introduce you to our company:
We are an international IT Security and Compliance service provider that delivers services in over 40 countries to 400 plus clients
Many of our clients and future clients must comply with one or more regulations or industry driven standards
We provide gap assessments, risk assessments, information security services (data discovery, vulnerability and penetration testing, file integrity and system/database activity monitoring, as well as certifying and providing reports on compliance across the spectrum of regulations and industry driven standards presented here
We are also recognized as a leader for helping clients manage and maintain compliance across multiple standards by leveraging our understanding of our clients’ processes, leveraging related evidence (testing, inspections) to support control requirements with a net effect of lowering overall costs to comply with multiple standards.
This is a short summary of what HIPAA means today …. The majority of changes to HIPAA have been introduced and strengthened by the recent passage of the HITECH and Omni-bus rules.
A key provision came into effect on September 23, 2013 that required CE to assess compliance of their BA.
Next, I would like to cover HITECH and Omni-bus provisions:
HITECH – passed in 2009, introduces the following modifications/clarifications to HIPAA: it extends HIPAA to BAs, establishes mandatory penalties for ‘willful neglect’, breach notification requirements, BA management and monitoring requirements, and clarifies rights for patients to obtain their PHI from both CE and BA.
I would like to clarify what "willful neglect" means: it is determined on a case-by-case basis, but we believe that a CE/BA with "no story" regarding compliance (or so minimal a story as to portray a cavalier attitude toward compliance) will likely be at significant risk.
Under the Omni-bus rule (passed in January 2013) it clarifies that HHS will determine the actual maximum for penalties – the established maximum for a specific violation 1.5M USD, assorted violations (3, 4, 10) could each be treated separately and fined up to a maximum of 1.5M USD for each
Next, I would like to cover the enforcement of HIPAA as it stands today……….
HHS’s Office of Civil Rights (OCR) is responsible for enforcing compliance, and does so by performing investigations of complaints, ‘random’ audits, and selection based on perceived risk and exposure. Last but not least, they perform investigations for companies that notify HHS that they have suffered a breach.
Resolution strategies in the event of positive findings include, voluntary compliance, implementation of a corrective action plan, and or a resolution agreement (contract) between HHS and the CE/BA.
The last point I would like to raise before moving on is that almost half of OCR audit operations are sourced from fines imposed.
This table summarizes the minimum and maximum penalties that can be levied by HHS for non-compliance. Please note that regardless of the reason behind the causes of the breach/disclosure of PHI, minimum and maximum penalties are defined.
The amounts listed are for each violation. For example, if an organization fails to perform a RA or remediate gaps identified during a RA or vulnerability scan, fails to patch and harden systems that process PHI, fails to train their staff, the theoretical maximum penalty could reach 4.5 M USD.
This table depicts the enforcement actions from the last 2 years and includes the organization’s name, fine imposed and nature of the violation.
While there have only been 17 enforcement actions over the last 2 year (2012, 2013); this does not reflect any associated States’ Attorneys fines or penalties or the cost of responding and implementing voluntary compliance, corrective action or resolution agreements for companies that were not financially penalized by HHS for non-compliance.
Unencrypted Data
The vast majority of data breaches are due to stolen or lost data that was unencrypted. When in doubt, you should implement the addressable implementation specifications. Most of them are best practices.
Employee Error
Employee error was a contributing factor like losing unencrypted portable devices, mistakenly send PHI to vendors who post that information online, or disclosing personally identifiable, sensitive information on social networks. All examples from actual cases. Employee training and adherence to security policies and procedures is extremely important.
Data Stored on Devices
Almost half of all data breaches are the result of theft. When laptops, smartphones, etc. are unencrypted the risk of a breach increases considerably.
Business Associates
Almost two-thirds of data breaches involved a business associate. Meaning that you delegated a covered function or activity to someone, and that someone messed up. So pick your partners carefully. Some of the largest breaches reported to HHS have involved business associates. As a result, the final omnibus rule expanded many of the requirements to business associates and greatly enhanced the government’s ability to enforce the law.
Looking forward, the Head of OCR has indicate that he expects more investigations and fines/penalities going forward for non-compliance – stemming from complaints, audits and disclosures. The OCR organization has over 275 investigators to perform inspections and investigations.
Onshore/offshore BAs and their BAs are also under the microscope… for BAs with an onshore presence, enforcement will be direct. For offshore only BAs, enforcement will be levied through the CE who will institute fines and penalties up to and including contract termination.
Next, I would like to review the HIPAA privacy rule provisions at a high level:
Requires appropriate safeguards to protect the privacy of personal health information
Sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization
Gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections
Requires compliance with the Security Rule
In short, privacy rules require that PHI be protected using defined, implemented and monitored security controls. It also specifies requirements for breach notifications to HHS, CE
I have included a link to the HHS website for more details
For HIPAA security, the nature and requirements of the Hipaa Security rule haven’t changes since before 2009, so I’m not going to go into detail regarding specific safeguards mentioned, however detailed descriptions and expectations are readily available on-line. I have included links to official HHS resources and would encourage you to review and ensure that you are familiar with specific rules.
The take away regarding HIPAA security is that it mirror many of the same requirements found in PCI DSS, ISO 27001/2, NIST 800-53, etc.,
Next, I would like to review the major objectives incorporated within the Breach Notification rule: definitions of breach, how to remediate unsecured PHI, along with official standards, appropriate breach notification methods, establishment of breach notification thresholds, formally placing the burden of proof of compliance with this rule on CE and BA.
“PROOF” includes maintaining documentation that all required notifications were made, or, alternatively, documentation to demonstrate that notification was not required:
(1) its risk assessment demonstrating a low probability that the protected health information has been compromised by the impermissible use or disclosure; or
(2) the application of any other exceptions to the definition of “breach.”
As mentioned earlier, the biggest impact of recent HITECH and Omni-bus rules is the inclusion of BAs and their subcontractors for HIPAA compliance.
Waiting until the organization is under investigation or being audited is not the appropriate time to think about how to demonstrate compliance with HIPAA. By that time, it is too late.
The following lessons learned or gaps were observed during a host of HIPAA compliance assessments of CE and BA that we performed within the US and internationally.
First off… Risk assessments………
Moving on…. Talk through the points
You should consider taking these points and performing a review of your existing HIPAA compliance program to determine if there these areas are approprieately covered.
When we look at the underlying causes of these gaps/issues we have found one or more conditions that contribute to the non-compliance or gap.
- Operational Conflicts of Interest
Maintaining versus securing systems and facilities
Capacity and focus of personnel
Lack of expertise and objectivity regarding IT security
Lack of resources for monitoring and maintaining compliance after achieving initial compliance
- No assignment of accountability for assets and processes (essentially orphaned
- Personnel turnover
- Process disconnects between HR, change management, IT and Systems acquisition
Please note: that in no instances did we find that a organization did not want to comply with HIPAA, however the effort to become compliant and maintain compliance outreached their resources in terms of personnel, funding, and oversight since many of these the activities and processes needed to comply with HIPAA are labor intensive, are not transparent and left to groups within the organization that have other priorities and obligations.
Depending on time – talk through these points…………………..
Depending on time – talk through these points…………………..
All in all, these activities are time consuming, can be very technical in nature and tend to be labor intensive.
If you want feedback regarding the approach or quality of your related process, please feel free to contact me….
What I would like to present now is how ControlCase approaches these challenges using our HIPAA CaaS solution…….
Next, I would like to give you a short overview of our HIPAA Compliance as a Service (CaaS)
a. Integration of services, software and compliance management and reporting for HIPAA, PCI, ISO 27001/2, SSAE16 and SAP through our cloud-based GRC
b. Allows clients to easily assess, monitor and maintain compliance not only with HIPAA, but across multiple standards
c. Brings together technical services that include:
Gap and Risk assessments (initial and on-going)
Automated data discovery for the 18 PHI identifiers
Policy and procedures
Training and awareness; records
External and internal vulnerability assessments for networks and applications
External and internal penetration tests for networks and applications
BA/Supplier identification, management and assessments
Logging and monitoring
Next I would like to show you some screenshots from CaaS, however it doesn’t do our solution justice and I would recommend that you schedule a full demo if you are interested.
Next, I would like to give you a short overview of our HIPAA Compliance as a Service (CaaS)
a. Integration of services, software and compliance management and reporting for HIPAA, PCI, ISO 27001/2, SSAE16 and SAP through our cloud-based GRC
b. Allows clients to easily assess, monitor and maintain compliance not only with HIPAA, but across multiple standards
c. Brings together technical services that include:
Gap and Risk assessments (initial and on-going)
Automated data discovery for the 18 PHI identifiers
Policy and procedures
Training and awareness; records
External and internal vulnerability assessments for networks and applications
External and internal penetration tests for networks and applications
BA/Supplier identification, management and assessments
Logging and monitoring
Next I would like to show you some screenshots from CaaS, however it doesn’t do our solution justice and I would recommend that you schedule a full demo if you are interested.
Next, I would like to give you a short overview of our HIPAA Compliance as a Service (CaaS)
a. Integration of services, software and compliance management and reporting for HIPAA, PCI, ISO 27001/2, SSAE16 and SAP through our cloud-based GRC
b. Allows clients to easily assess, monitor and maintain compliance not only with HIPAA, but across multiple standards
c. Brings together technical services that include:
Gap and Risk assessments (initial and on-going)
Automated data discovery for the 18 PHI identifiers
Policy and procedures
Training and awareness; records
External and internal vulnerability assessments for networks and applications
External and internal penetration tests for networks and applications
BA/Supplier identification, management and assessments
Logging and monitoring
Next I would like to show you some screenshots from CaaS, however it doesn’t do our solution justice and I would recommend that you schedule a full demo if you are interested.
Our CaaS solution maps to the following HIPAA standards and is designed to incorporate activities and services performed by internal resources and/or external resources like ControlCase or other IT security service providers.
Our CaaS solution maps to the following HIPAA standards and is designed to incorporate activities and services performed by internal resources and/or external resources like ControlCase or other IT security service providers.
I have included the external references used within today’s presentation to support your ongoing research.
HMK – check to see if there are any questions in the question queue…. Then say
I would like to open the floor for Questions and Answers
Thank you for attending today’s webinar. Feel free to send me an email or to call one of the above numbers depending on your locale.
We will be sending out a link for you to register and access a recording of today’s webinar.